hello-dolly, your URL would be
window.projectName="hello-dolly";Change the URL to
http://scrumy.com/%22%3balert(0)%3b%22and this is what gets written into the page:
window.projectName="";alert(0);"";Resulting in an XSS.
Now I only looked at a single page on the site, so can't comment on whether there are more holes or not.
I emailed them as soon as I found the bug and a few hours later it was fixed. Good job folks!