Well to be more accurate, "That time I accidentally discovered a way to obtain a large portion of Cohost's frontend source code" - This is gonna be a decently long post
Part 1 - It started with RSS 
Cohost is a wonderful website, but is definitely still in its infancy. I was having a hard time finding new people to follow, and I decided to poke around in inspect element to see if there was some API endpoint to show who is following a certain account. I didn't find that, but I did find one section in the code that contained a bunch of API endpoints, one of which mentioned RSS. I was super interested in this, and I posted asking if anyone was able to find how to access it (https://cohost.org/mintexists/post/282865-was-poking-around-in).
After some messing around with breakpoints, I found a section in the code that would let me find the URL, but it was a function with some unknown parameters. For the RSS, using just an empty string as a parameter gave me a URL to the RSS feed, but I was hungry to discover more secrets that might lurk in the Cohost code. However, these unknown function parameters were a major block, and reading minified JavaScript is very hard.
Part 2 - A Map to the Source 
Wanting to learn more about the cohost API without having to drag my way through minified JavaScript, I remembered the tool Goop by nyancrimew on GitHub, a tool that searches a website for an insecure git repository automatically. However, the wonderful cohost engineers outsmarted me here, and didn't make that mistake.
Undeterred by this, I continued my search. I remembered JavaScript Source Maps, a tool to un-minify JavaScript code back to its original state as source code. However, Cohost does not link source maps, but after a few quick searches I realized that typically source maps follow the pattern of filename.js.map, and after trying it on Cohost, I was in. I had gained access to the un-minified source code of some of Cohost's frontend. (https://cohost.org/mintexists/post/283316-uh-so-apparently-the)
Part 3 - Some Mistakes and CSS Crimes 
Armed with this new knowledge, I turned to a small Discord server to share my findings. This was probably not the best thing to do, but being seventeen and having never done something like this before, I was unsure of what to do. Someone in the server wrote a small script to find more of these source map links by gathering them from webpack.
After downloading the source map files and using a tool called Shuji to unpack them back to their original form, I had a local copy of most of Cohost's frontend code. (https://cohost.org/mintexists/post/284150-div-style-align-it) Remembering my original intentions, I looked at the code for API endpoints, but I didn't find anything of particular interest.
I reached out to staff over a post and a support ticket, but it being the weekend I did not get a reply.
At this point, @easrng asked me to try to find the code that sanitizes the post input, and what html tags and attributes are allowed. The source code gained from the source maps allowed her to find the JavaScript library that Cohost uses to sanitize posts, leading to her Take off your glasses post, followed shortly by my Flying Eggbug.
It was most definitely a mistake to allow this CSS Crime to go public before it was acknowledged by the Cohost team, but this has been a major learning experience for me, and I now know about responsible disclosure.
At this point, the source code gained through source maps was not widespread knowledge, and was mostly contained, and I did not want it to spread any further before Cohost staff fixed it. After seeing the post from @staff about it sucking to discover a bug on the weekends seeing it actively being used (https://cohost.org/staff/post/294956-minor-update-to-the) I realized that I had definitely made some mistakes along the way.
I waited until Monday (today as of writing) for Cohost staff to see my support ticket, and after noticing that the staff member who fixed the bug (@vogon) had replied to an earlier post I made, I replied to their reply to let them know about the probably urgent bug of the source code availability. This got my ticket through to them, and they let me know that it would be fixed, and that once it was, I could make this post about how I found the issue!
In Conclusion 
I think the biggest thing I learned from this whole experience was definitely Responsible Disclosure. As said before, I've never been involved in a thing like this, and it was a major learning experience for me.
I learned about the thrill of discovering a bug and digging around inside the system, but also to be careful and make sure my explorations don't add any additional stress to others. This is the best social media site I've ever used, and I love it a lot <3
2 Weeks Later…
It has now been 2 weeks since I was told that this would be fixed in an hour, which was possibly a miscommunication saying that a certain css crime abuse would be fixed, not the source code reveal itself. None of my follow up messages have been answered, so I figure that it is okay to go ahead and post this now.
It doesn’t seem like it leaves any dangers open, and just gives people a cool way to interact and explore this website on a deeper level. Using this was a big help in making my Markdown Plus Userscript and will hopefully help others make cool things too! Just please disclose bugs you find to @staff properly and don’t make the same mistakes I did!
This is a wonderful website and I am so glad it exists, it really does feel like it is perfect for me :)
Happy Eggbugging! - Mint
(thanks to @thingskatedid for helping me edit this)
