Feature Bounties
Submit a merge request that closes one of these issues to earn points on merge — bounties stack on the standard +40 merge_pr award. New to the repo? See the Contributing guide or the step-by-step below.
bcw-mcp (1)
#47 · Add `bcw_search` tool to find BCTs by free-text description
Today the BCW MCP exposes the canon and recommendations but a user has to know which BCT they want. A simple text-search tool over BCT names and descriptions makes the canon discoverable.
career-board (2)
#31 · Salary range field + filter (with member opt-out)
Job posts have title/description but no structured salary. Members can't filter by compensation. Add a typed salary range with sane filtering and let posters opt out (some military/contracting roles can't disclose).
#32 · OPSEC screenshot redaction — auto-blur job poster's name in shareable images
There's already an OPSEC-SCREENSHOT-PROTECTION.md file in `apps/career-board/docs/`. The implementation is missing. Generate `share-image` for a job post that blurs/anonymizes the poster's name.
developer-portal (1)
#38 · Generate per-app API client snippets from wrangler.toml routes
Developers don't know what endpoints each Worker exposes without reading source. Build a tool that ingests each app's `wrangler.toml` and source files and emits a one-page API reference with copy-paste TypeScript / curl examples.
event-service (2)
#28 · iCal feed per-user (`/ical/<token>.ics`) for personal calendar sync
Members RSVP to events but can't easily get them in Apple/Google Calendar. A signed iCal feed token lets users subscribe to their own events.
#29 · Award `share_event` points when an event is forwarded via Signal bot
`share_event` is in the scoreboard CHECK constraint (5 pts) but no service awards it. Wire event-service to the bot's `!share` path so members get credit for amplifying events.
fieldnotes (2)
#26 · Article scheduled publishing — submit now, publish at future date
Authors should be able to draft an article and schedule it to publish at a specific time (newsletter cadence, embargoed announcements, weekend publishing).
#27 · Daily Signal bot announcement of new published articles
When new articles publish, push them to the Signal community. Today members have to remember to check fieldnotes.irregulars.io.
rss-reader (1)
#43 · OPML import/export so users can move feeds in/out
Standard feature for any RSS reader. Lets users seed the community reader from their existing client and bail out if needed.
scoreboard (16)
#50 · Single sign-on session sharing across all 12 Workers via shared cookie domain
Every Worker has its own session cookie scoped to its subdomain. Members log in to scoreboard, then log in *again* to portal, *again* to events… Painful and breaks the "one community" feel.
#102 · RCE / command injection in any service
Any path that lets an attacker execute arbitrary code or shell commands on a worker, container, or host. Highest priority class.
#104 · Authentication bypass / session-token forgery
Any way to act as another user without their credentials, OR to elevate privileges to admin without admin-level OIDC claims.
#105 · Webhook signature bypass / scoreboard double-award
The scoreboard accepts awards via two paths: (1) GitLab MR webhook, (2) the bot API. Both rely on shared secrets / API keys. Any way to mint awards without the secret, or to bypass the unique idempotency index, qualifies.
#101 · Bug Bounty Program — purple team rewards for security findings
The IrregularChat scoreboard now pays points for accepted security findings against any community service. Findings are submitted privately, triaged by an admin, and points awarded based on severity. This is the canonical reference — every other `security:` issue points back here…
#103 · SQL injection in any D1 / PostgreSQL query
Any query that interpolates user input as a string instead of using a parameterized placeholder. D1 must use `.bind()`; PostgreSQL on signal-bot must use parameterized clients.
#108 · SSRF (server-side request forgery) in any worker
Any worker endpoint that fetches a URL the client controls. The new `/contribute/claim` was designed defensively (no fetch of user URL) but other paths may not be.
#110 · IDOR / privilege escalation via predictable IDs
Any endpoint that returns or mutates data keyed on a user-supplied ID without verifying the requesting user owns that ID.
#107 · Cross-site scripting (XSS) in any rendered template
Any user-provided string rendered into HTML without `escapeHtml`, or any `innerHTML` / `dangerouslySetInnerHTML` with attacker-controlled content.
#109 · CSRF on any state-changing endpoint
Any POST endpoint that modifies state without checking session origin. Workers don't get CSRF protection by default; if the auth is just a session cookie + the endpoint has no Origin/Referer check or CSRF token, it's exploitable.
#111 · Idempotency abuse to double-award points
The award system relies on a unique index on `(source_service, source_id)`. Any way to bypass it qualifies.
#113 · Auto-disclose patched security findings after 30-day embargo
Security findings come in via `/contribute#report-bug` and stay confidential through triage and patching. Today there's no path to make them public after a reasonable embargo. Best practice (Bugcrowd, HackerOne, Google VRP) is to disclose patched findings after a window (typicall…
#114 · Signal bot `!reportbug` command — DM intake for security findings
The bug-report intake at `/contribute#report-bug` requires opening a browser, logging in, filling a form. For power users (especially when reporting from mobile during a security poke session) a Signal bot command is dramatically lower friction. The bot already has 100+ commands …
#19 · Surface user's lifetime bounty count + total bounty points on profile
Profile page shows points/badges but not bounty-specific stats. Add a "Bounties claimed" widget so contributors can show off their PR work.
#112 · Admin security findings dashboard + public stats page
Admins reviewing security findings can approve them via /admin's award request queue, but there's no transparency view showing how many findings have been accepted by tier, who's earned them, or aggregate program activity. This makes it hard to (a) communicate program traction to…
#20 · Add /bounties to the mobile bottom nav
/bounties is in the desktop nav and dropdown but missing from `buildBottomNav` in the mobile layout. Easy fix.
search-service (1)
#35 · Federate search across wiki, Q&A, field notes, and bounties (single result page)
Today search-service fronts SearXNG (web search). Internal community content (wiki, Q&A, articles, bounties) lives in scattered indexes. A unified result page that interleaves results from each surface would massively improve discoverability — this is the *direction* hinted at by…
signal-bot (6)
#14 · Multi-tenant config: load tenant-specific env from `tenants/<id>/.env`
Forks of the bot can't easily run multiple Signal accounts on one host. A multi-tenant layout (`tenants/<tenant_id>/.env`, `tenants/<tenant_id>/state/`) would let one container serve N communities with isolated state, sharing only the binary. This is foundational for the fork-fri…
#13 · Add !bounty command to surface open feature bounties in Signal
The community-facing bot should surface open bounties so contributors can claim them without leaving Signal. Today, bounties live only on score.irregulars.io and GitLab — adding a `!bounty` command closes that loop and brings the bot ↔ scoreboard parity in line with `!jobs`, `!ev…
#119 · Test coverage: !summarize and !rollup handlers
`handleSummarize` (567 lines, ~5 distinct content pipelines: PDF, YouTube, social video, HTML, plain text) and `handleRollup` (~300 lines, 8 stat queries + Outline doc) have **zero test coverage** in `apps/signal-bot/src/tests/`. The only handler test is `bcw.command.test.ts`. Re…
#120 · Refactor: share community-rollup logic between !rollup --full and 02:00 cron
Two implementations of "build a 7-day community rollup → publish to Outline" exist in the signal-bot:
#15 · Show bot's own scoreboard rank in `!score` output
`!score` already returns a member's points. Add a one-liner showing the bot's leaderboard rank within the community to drive engagement ("You're #14 of 312, 280 points behind #13").
#147 · Community rollup Outline doc retention (update-in-place or monthly archival)
Part A of #123 (part B — the `outline_url` nullable schema fix — shipped in !29). This tracks the **Outline doc retention** half, which is a behavior change and needs a strategy decision, so it was split out.
simplex-bot (8)
#167 · SimpleX full Q&A lifecycle + question-reminder scheduler
SimpleX has `!question`/`!answer`/`!questions`/`!vote`. Missing the resolution, clarification, and cross-group verbs — and the scheduler that DMs askers about unsolved questions.
#16 · Port `!bounty`, `!score`, `!leaderboard` commands from Signal bot
SimpleX bot is being built as a port of the Signal bot. Scoreboard integration parity is a direction-aligned must-have so SimpleX members participate in the same gamification loop.
#162 · SimpleX admin user lifecycle: !gtg !pending !remove !reactivate
SimpleX has `!account`/`!audit` but no member-approval workflow.
#163 · SimpleX group admin lifecycle: !addgroup !removegroup !groupdestroy !refreshgroups + categories
SimpleX lists/creates/joins/adds-to groups but lacks admin listing management.
#164 · SimpleX dormant-member tracking !dormant + hourly auto-removal scheduler
Signal tracks inactivity tiers and auto-removes 90+-day-silent members hourly. SimpleX has neither.
#165 · SimpleX onboarding drip DMs + !req/!vouch + !leave
Signal runs a 5-DM drip over 6 days for fresh linkers plus intro-template commands. SimpleX has `!request`/`!invite` but no drip and no `!leave`.
#169 · SimpleX /api/event-announce + /api/job-announce receivers + safety-net poller
Workers push announcements to the bot via webhooks, backed by a poller that catches missed deliveries (a fire-and-forget webhook alone silently dropped Signal event broadcasts for 36 days once). SimpleX's express app exposes only `/health`.
#17 · Add `isScoreboardConfigured()` guard and graceful fallback
Per the bot-utils convention, every external service client should have an `is*Configured()` guard. SimpleX bot needs one for scoreboard so forks without a scoreboard get a clean "This server doesn't have points enabled" instead of a stack trace.
tak-service (1)
#36 · Geofence triggers — fire webhook when a marker enters/exits a region
TAK already tracks markers (positions). Adding geofences (named polygons stored in D1) and emitting webhooks on enter/exit makes the service useful for transport runs, perimeter alerts, training events.
task-exchange (2)
#23 · Reputation decay: weekly cron drops idle reputation by 1%
Reputation should reflect recent activity, not lifetime hoarding. A small weekly decay (1% of reputation if user had no activity that week) keeps the leaderboard fresh and aligned with the scoreboard's existing weekly/monthly periods.
#21 · Auto-create a Task Exchange task when a feature bounty is opened
Bounties are GitLab issues. Tasks are reputation-currency items. Today they're disconnected. Wiring them together means contributors who find a bounty can also see it in `task.irregulars.io` with the points pre-set, and Task Exchange's escrow/reputation can layer on top of GitLab…
teamco (1)
#24 · Award scoreboard points when a transport run completes
TeamCO has playbooks and transport runs but no scoreboard integration. Completing a run or coordinating a workspace is high-value community contribution and should earn points like every other action.
uxs-data (1)
#44 · Public diff viewer — show what changed in last UAS data update
uxs-data is the canonical UAS dataset. Updates happen periodically. A public `/diff/<timestamp>` page showing what records were added/changed/removed builds trust and helps consumers (wiki, signal-bot) handle migrations.
uxs-portal (1)
#45 · Migrate auth to Authentik OIDC PKCE via @irregularchat/shared-utils
UXS Portal pre-dates the shared-utils package. Per the README "refactor backlog" and the monorepo direction, migrate auth to the same OIDC PKCE flow used by every other Worker (task-exchange, fieldnotes, etc.). Removes a divergent auth path.
wiki (11)
#61 · Wiki page: GI Bill Complete Guide
A community-identified content gap on Irregularpedia. Listed at https://irregularpedia.org/community/wanted-pages/.
#62 · Wiki page: VA Claims Process
A community-identified content gap on Irregularpedia. Listed at https://irregularpedia.org/community/wanted-pages/.
#63 · Wiki page: MOS to Civilian Translation
A community-identified content gap on Irregularpedia. Listed at https://irregularpedia.org/community/wanted-pages/.
#72 · Wiki page: SOC Tooling Overview
A community-identified content gap on Irregularpedia. Listed at https://irregularpedia.org/community/wanted-pages/.
#86 · Wiki page: Kubernetes Setup
A community-identified content gap on Irregularpedia. Listed at https://irregularpedia.org/community/wanted-pages/.
#64 · Wiki page: Transition Timeline & Checklist
A community-identified content gap on Irregularpedia. Listed at https://irregularpedia.org/community/wanted-pages/.
#65 · Wiki page: Security Clearance Guide
A community-identified content gap on Irregularpedia. Listed at https://irregularpedia.org/community/wanted-pages/.
#66 · Wiki page: OCONUS Transition Resources
A community-identified content gap on Irregularpedia. Listed at https://irregularpedia.org/community/wanted-pages/.
#68 · Wiki page: Veteran Benefits Overview
A community-identified content gap on Irregularpedia. Listed at https://irregularpedia.org/community/wanted-pages/.
#40 · Auto-generate "Recent commits to this page" footer from GitLab API
Wiki shows lastUpdated date but not who/why. Add a small "Recent changes" widget under each page that lists the last 5 commits to that file.
#67 · Wiki page: Reserve & Guard Transition
A community-identified content gap on Irregularpedia. Listed at https://irregularpedia.org/community/wanted-pages/.
How to claim a bounty
First time? Get set up
- Sign in to git.juntogroups.org with your IrregularChat SSO.
- Create a Personal Access Token (PAT) at Settings → Access Tokens with the
write_repositoryscope. You'll use it as your password when cloning/pushing over HTTPS. - Clone the repo:
git clone https://git.juntogroups.org/irregulars/irregularchat-monorepo.git - On your Scoreboard profile, set your GitLab username so merges auto-credit you, and link your Signal account (+50 pts on first link).
Claim a bounty
- Pick an unclaimed issue and comment
/assign meon GitLab. - Branch off
main, implement the feature against the acceptance criteria. - Test it locally before opening the MR: after rebasing on
main, runcp .dev.vars.example .dev.vars && pnpm devfrom the app dir (→localhost:8787) and verify against the acceptance criteria. SSO login works with no secret — full walkthrough: Local Development & SSO. - Open a merge request with Closes #<iid> in the description.
- On merge to
main, the GitLab webhook auto-awards your points and announces it to the community.
The card shows the bounty tier · merge_pr (+40) is awarded on top. Additional bonuses stack automatically:
+10 wiki_editif the MR touchesapps/wiki/src/content/docs/**+50 first_contributionon your first ever merged PR (one-time)
Points land when your GitLab username (set on your profile) or commit email matches your Scoreboard account. For the full walkthrough see the Contributing guide, or recover a missed award at /contribute/claim.