Only tangentially related, but… Running a social networking service for people in information security seems like it would be a total nightmare.
Doesn’t seem too bad? You’re going to get some vulnerability reports, but at least the reporters are well-meaning professionals. E.g. hosting a cryptocurrency exchange would be a lot more exciting…
In this case, the form-action directive would have stopped the attack. It is common to forget it when writing a CSP, especially because the fact that it is not affected by default-src is not common knowledge.