Hi,
I want to submit my report https://hackerone.com/reports/473811 for the Internet Bug Bounty.
Snyk’s writeup: https://snyk.io/blog/severe-security-vulnerability-in-bowers-zip-archive-extraction
My assessment on why this report might be eligible:
>To qualify, vulnerabilities must meet the following criteria:
Bower is one of the top package managers for nodejs ecosystem with many major companies dependent on it as cited by https://stackshare.io/stackups/bower-vs-npm-vs-yarn
>In addition, vulnerabilities should meet most of the following criteria:
Bower has ~2 million monthly downloads according to Snyk’s report with official npm stats showing 355k+ downloads the past week.
{F419777}
What do you think?
Regards,
Skynet (skyn3t)
Writing arbitrary files on the system