← back to lessons

Lesson (cycle295, 2026-06-28): on a multi-CVE-swept authz surface, the residual asymmetries are DESIGN, not gaps

Target: Mattermost plugins (playbooks run handlers + calls host-controls), Bugcrowd mattermost-mbb-public.

What worked

What didn't (the brief's hypothesis didn't hold)

The reusable rule

  1. Saturated-surface tell = count the shipped CVEs in the class. Mattermost playbooks authz = CVE-2022-1548 + CVE-2026-20796 + CVE-2026-6343 + 5 sweep commits (MM-62690/63410/67867/68844/...). 3+ CVE strikes on a class = the maintainer's security team is actively sweeping it = surviving-sibling odds are low. Deprioritize per the saturated-surface doctrine.
  2. By-design test (doctrine): a by-design sink is only eligible if it defeats a guard the project actually built+applied elsewhere. Here the project built BOTH the RunView/RunManageProperties write-gate AND the intentional RunView self-join path; together they MEAN "viewers may gain manage by joining," and the truly sensitive thing (channel) is gated apart. So the self-promotion is consistent design, not a defeated guard -> ineligible. Contrast: an eligible incomplete-fix would be a WRITE handler that the sweep left on RunView AND whose effect crosses the channel boundary the project promised to defend (none found here).
  3. Inert-write filter: a missing-check write keyed to the requester's OWN id (follow, dismiss-notification) is an authz asymmetry with no victim impact = not an eligible write/tamper. Bank it only as a watch-item for future versions that might make the field affect others.

Cross-ref: [[feedback_authz_grep_is_lead_not_finding]] (enumerate gate-helper semantics, batch-fix lowers sibling odds), [[feedback_shortlist_crossref_findings_first]] (boards/playbooks already walked cycle287/291), [[feedback_complete_degraded_gate_before_regreenlight]] (saturation moves fast on popular targets).

Generated 2026-07-02 13:15:04 UTC | auto-sync /15min