I also reported some basic XSS vulnerabilities in Protonmail. If you sent an email with a header like this:
As soon as it appeared in Protonmail message list at the recipients end, you could completely take over their account, read all their email, send emails as them etc. I'm credited on: https://protonmail.ch/blog/protonmail-security-contributors/ for it.
To me, this is a really bad mistake that no "good" web developer would make these days. Especially considering how they're selling their service. It makes me think their software is probably full of security holes.