The bug is probably something really trivial that affects a small portion of users in an insignificant way. The secrecy about specifics on the author's part seems to be just to spare him embarrassment at this point.
I'm not sure Dave's too worried about what YC board people think about him, but if that makes you feel better, you can go ahead and keep thinking that.
Here's what I want to accomplish by posting this story on YC (and not Reddit, or anywhere else):
The 37Signals attitude towards feature requests is refreshing and powerful. But if you apply it mindlessly, like they themselves did in this case, you can cause problems for yourself. Not every request is really optional. Maybe this one was --- I'm on the fence leaning towards "they should probably fix this soon" --- but others truly won't be, because they will reveal customer information, lose data, or crash the system.
I think there's a lesson in here somewhere. Maybe it'll just have to wait for an actual incident at 37Signals.
I don't think permitting XSS is a good idea in a shared environment.