I suppose that makes sense if you get payed for upvotes, stored xss is probably just the most low hanging fruit, if they messed that up I'd expect everything from csrf, clickjacking, sqli and more, everyone has the incentive to look and exploit. They should probably get a thorough white box review.