I don’t enjoy learning how the Flight Protocol works while simultaneously being assured by RSC apologists that I do not need to know that there is such a thing as a Flight Protocol. This is not just about React2Shell, although something as complicated as an RPC protocol is bound to have more vulnerabilities than REST-ish APIs. No, my beef is about a design philosophy that consistently hides details from developers that they actually want and need to know and has been steadily taking React from a comprehensible, focused framework for the benefit of the broader open source community to an opaque, amorphous SDK for a company with a rather cavalier attitude toward security.
We sometimes see this kind of problem in open source projects which are primarily meant to be the core of a single company's offering: the project grows in complexity in a way the open source community around it doesn't really need or want, but which the central company needs in order to keep adding features and stay competitive. I feel GitLab is one of many good examples: it's a huge complex behemoth that's really hard to host, because the main purpose of the open source project is to serve as a foundation for gitlab.com.
Both Next and React are starting to feel like projects whose main purpose is to serve as a foundation for Vercel's services.
I found it interesting reading about the process of monetizing the vulnerability through bug bounty programs. She says:
In what ended up being responsible for the vast majority of the bounty money I ended up getting from this, Vercel, to their credit, did in fact put their money where their mouth was, and began offering $50k per unique bypass to their WAF on HackerOne.
...
Vercel ended up paying out for 23 unique bypasses, five of which belonged to Lachlan and myself.
If I'm understanding correctly, the two researchers:
Found an RCE in React
Reported the vulnerability to Meta, who maintains React
Tried to find vendors with bug bounty programs that would pay them for proving their site was vulnerable after Meta announces the vulnerability but before the vendor has time to deploy the fix
Once the CVE was published, started testing proofs of concept on the vendors they identified in (3)
In the process of (4), discovered that Vercel's web application firewall (WAF) was blocking their proofs of concept because Vercel had early access to the CVE before the general public and added it to their WAF
In trying to get around Vercel's WAF, they found 5 vulnerabilities ($50k x 5, split two ways, not necessarily 50-50) in the firewall itself, which earned Sylvie more money than she made on React2shell.
Neither of them disclosed how they split the bounty money or what Meta paid. If they were splitting everything 50-50, then I'm surprised they made more from Vercel than Meta. React2shell was much more technically sophisticated, had a larger impact, and has a maintainer With deeper pockets. But it's entirely possible that Lachlan kept most or all of the bounty from Meta, since he was the lead on that, and Sylvie led the second-order effect bounty project.
adamshaylor | a day ago
I don’t enjoy learning how the Flight Protocol works while simultaneously being assured by RSC apologists that I do not need to know that there is such a thing as a Flight Protocol. This is not just about React2Shell, although something as complicated as an RPC protocol is bound to have more vulnerabilities than REST-ish APIs. No, my beef is about a design philosophy that consistently hides details from developers that they actually want and need to know and has been steadily taking React from a comprehensible, focused framework for the benefit of the broader open source community to an opaque, amorphous SDK for a company with a rather cavalier attitude toward security.
mort | a day ago
We sometimes see this kind of problem in open source projects which are primarily meant to be the core of a single company's offering: the project grows in complexity in a way the open source community around it doesn't really need or want, but which the central company needs in order to keep adding features and stay competitive. I feel GitLab is one of many good examples: it's a huge complex behemoth that's really hard to host, because the main purpose of the open source project is to serve as a foundation for gitlab.com.
Both Next and React are starting to feel like projects whose main purpose is to serve as a foundation for Vercel's services.
[OP] mtlynch | a day ago
I found it interesting reading about the process of monetizing the vulnerability through bug bounty programs. She says:
If I'm understanding correctly, the two researchers:
Neither of them disclosed how they split the bounty money or what Meta paid. If they were splitting everything 50-50, then I'm surprised they made more from Vercel than Meta. React2shell was much more technically sophisticated, had a larger impact, and has a maintainer With deeper pockets. But it's entirely possible that Lachlan kept most or all of the bounty from Meta, since he was the lead on that, and Sylvie led the second-order effect bounty project.