Internet Bug Bounty: [bower] Arbitrary File Write through improper validation of symlinks while package extraction

Hi,

I want to submit my report https://hackerone.com/reports/473811 for the Internet Bug Bounty.
Snyk’s writeup: https://snyk.io/blog/severe-security-vulnerability-in-bowers-zip-archive-extraction

My assessment on why this report might be eligible:
>To qualify, vulnerabilities must meet the following criteria:

• Be implementation agnostic: vulnerability is present in implementations from multiple vendors or a vendor with dominant market share. Do not send us vulnerabilities that only impact a single website, product, or project.

Bower is one of the top package managers for nodejs ecosystem with many major companies dependent on it as cited by https://stackshare.io/stackups/bower-vs-npm-vs-yarn

• Be open source: finding manifests itself in at least one popular open source project. ✔️

>In addition, vulnerabilities should meet most of the following criteria:

• Be widespread: vulnerability manifests itself across a wide range of products, or impacts a large number of end users

Bower has ~2 million monthly downloads according to Snyk’s report with official npm stats showing 355k+ downloads the past week.

{F419777}

• Have critical impact: vulnerability has extreme negative consequences for the general public. ✔️- Be novel: vulnerability is new or unusual in an interesting way.～

What do you think?

Regards,
Skynet (skyn3t)

Impact

Writing arbitrary files on the system