Fateh Sevemle, a turkish hacker that was trying for 4 years to find if there's any bug in shopify, he he injected his payload of XSS bug in the name of a seller that he was trying the bugs in his store .
And recently after 4 years, an alert appeared in the internal admin panel of people that are working in shopify (admins and not sellers), they contacted him in the email he used in that payload to send him reports in his hackerone account, he got 5000$ for finding this bug.
The bug was blind, which means the hacker couldn't see anything about it (randomly found), and the bug was finally called "Time-Traveling XSS" because it combined between Stored+Blind+triggers after years.
And recently after 4 years, an alert appeared in the internal admin panel of people that are working in shopify (admins and not sellers), they contacted him in the email he used in that payload to send him reports in his hackerone account, he got 5000$ for finding this bug.
The bug was blind, which means the hacker couldn't see anything about it (randomly found), and the bug was finally called "Time-Traveling XSS" because it combined between Stored+Blind+triggers after years.