So while I can't promise you jack right now in terms of money, I can give out permanent accounts like candy, so I'll announce the first round of the game:
STEP 1: Go to http://www.test.dev.livejournal.org/
CVS viewers are at http://cvs.danga.com/ and http://cvs.livejournal.org/ .
STEP 3: Email me (firstname.lastname@example.org) with subject containing at least "XSS-LJ", and a URL to a minimal test case illustrating your hole. I need to know how you did it, source code, maybe your test account's password, whatever it takes. The more clear it is, the more likely you win and I don't accept somebody else's later but more clear bug report first. After you find a hole, go create a new account for your next hole.
Brad's unofficial rules: I am judge, jury, and sole candy giver, at least until there are official rules. If I give you a permanent account, that doesn't mean you're not eligible for money/gift certificates later. We'll retroactively give that out for the best/hardest-to-fix/most-clever holes after the fact.
NOTE: The code running on the above URLs isn't live on the site yet. We don't care about holes at www.livejournal.com, because they're likely already fixed in the test code. The test code will go live on the site soon-ish. So reproduce (or produce) your bug reports on the test machine.
NOTE 2: The test machine above is a small virtual machine. I might not have given it enough memory. If it sucks, I'll increase it. Bear with me.