This is both a pitiful amount of money for finding flaws in three different pieces of software but at the same time the biggest thing Discord did wrong was not practicing defense in depth through disabling contextIsolation.
Although it makes sense, I'm almost surprised Discord paid out given that biggest reason the RCE exists was due to the Electron top-level navigation bug allowing XSS despite Discord's existing mitigations in the first place.
This seems to be a bit of a concerning attitude, and it's also in that top Discord guys post. No, it's not a bug in some third-party library that you are excused from - you use it, it's your bug now!
And who other than Discord would be poised to take charge and fix it? They need a desktop client almost like no other Electron user. Time to grow up and take some responsibility for the stuff you ship. Instead we have
Yeah the moment you take on a dependency and put it into your code, you vouch for it. That's why so many open source (or even proprietary) licenses have the NO LIABILITY clause.
Alternately take responsibility for fixing it, sending changes upstream, applying pressure that the get accepted, and building defenses against the specific bug in your surrounding code just in case.
Although it makes sense, I'm almost surprised Discord paid out given that biggest reason the RCE exists was due to the Electron top-level navigation bug allowing XSS despite Discord's existing mitigations in the first place.