|www.rodneybeede.com||"I would love to change the world, but they won't give me the source code" - unknown|
I guess EA.com didn't. They have a XSS vulnerability that is served up via ftp.ea.com. Providing a URL such as ftp://ftp.ea.com/web/index.htm is perfectly valid for the major web browsers. This also opens up XSS that may be missed since most organizations don't think to scan the web content on them as well.
I did notify EA, but I never got a response back.