The component object is mutable

[mgetzbw]

The following code should fail:

init: function(component, event, helper){
     component.set = function(){ alert('gotcha');};
}

Expected outcome:
This should fail because component should be frozen

Actual outcome:
Alert with "gotcha" is displayed.

Severity:
Medium, This allows developers to bypass the proxy and locker system and communicate directly between components via un proxied objects as well as potentially allowing for unsafe modifications of other components
This has been seen In the wild.