I guess the most backdoor-looking bug I've ever seen (referring of course to Signal Desktop's usage of React's __dangerouslySetInnerHTML to render user-supplied messages in a Node.js privileged context) is below the technical authors paygrade.
(https://thehackerblog.com/i-too-like-to-live-dangerously-acc...) - CVE-2018-11101
