For reporting many XSS issues and many full path I got listed in their release notes. https://www.concrete5.org/documentation/background/version_history/5-6-3-release-notes/
Recently I was able to bypass the XSS filter of Riskalayze login page. After a responsible disclosure I got acknowledged by them. http://riskalyze.com/security-response