“We believe bug bounties are a vital part of every security team’s toolbox, and continue to encourage third parties and researchers to continue to report this type of activity for review by our team.” - Cloudflare spokesperson
Amount: only $200 bounty
Responding to a subsequent request, Cloudflare told the researcher that it is ultimately the users’ responsibility to disable caching.
Discord rejected the report as a Cloudflare issue, as did Signal, noting that it’s outside their mission’s scope to implement network-layer anonymity features.
I think it really is the user’s responsibility. This is an inherent design issue in what the service is doing, not a bug. It is about using the service properly for a given use-case. Geo-based content caching isn’t designed to be private or privacy enhancing.
Keep in mind, the “user” in this case isn’t you and me. It is the consuming application that are the user’s of their service. In this case, it is Discord, Signal and friends.
So if those apps are selling privacy, they shouldn’t be using this type of service.