Bounties — IrregularChat Scoreboard

100open

100unclaimed

10975points up for grabs

XS · 25 S · 50 M · 100 L · 200 XL · 400

bcw-mcp (1)

S · 50 pts bcw-mcp

#47 · Add `bcw_search` tool to find BCTs by free-text description

Today the BCW MCP exposes the canon and recommendations but a user has to know which BCT they want. A simple text-search tool over BCT names and descriptions makes the canon discoverable.

career-board (2)

M · 100 pts career-board

#31 · Salary range field + filter (with member opt-out)

Job posts have title/description but no structured salary. Members can't filter by compensation. Add a typed salary range with sane filtering and let posters opt out (some military/contracting roles can't disclose).

S · 50 pts career-board

#32 · OPSEC screenshot redaction — auto-blur job poster's name in shareable images

There's already an OPSEC-SCREENSHOT-PROTECTION.md file in `apps/career-board/docs/`. The implementation is missing. Generate `share-image` for a job post that blurs/anonymizes the poster's name.

community-portal (2)

S · 50 pts community-portal

#33 · Status dashboard pings every service /api/health and shows up/down

Portal is the front door but doesn't show service health. A simple health-check grid on the homepage makes outages visible to operators and members.

XS · 25 pts community-portal

#34 · Add /bounties link to the portal's services grid

Portal links to most services but not to the new scoreboard /bounties page. Easy add.

developer-portal (2)

M · 100 pts developer-portal

#38 · Generate per-app API client snippets from wrangler.toml routes

Developers don't know what endpoints each Worker exposes without reading source. Build a tool that ingests each app's `wrangler.toml` and source files and emits a one-page API reference with copy-paste TypeScript / curl examples.

S · 50 pts developer-portal

#39 · Add "Open Bounties" widget on the dev portal landing

Dev portal is where contributors land. Surface the top 5 open bounties prominently.

event-service (3)

M · 100 pts event-service

#28 · iCal feed per-user (`/ical/<token>.ics`) for personal calendar sync

Members RSVP to events but can't easily get them in Apple/Google Calendar. A signed iCal feed token lets users subscribe to their own events.

S · 50 pts event-service

#29 · Award `share_event` points when an event is forwarded via Signal bot

`share_event` is in the scoreboard CHECK constraint (5 pts) but no service awards it. Wire event-service to the bot's `!share` path so members get credit for amplifying events.

XS · 25 pts event-service

#30 · RSVP confirmation email links to scoreboard for the +20 pts reveal

RSVPing earns 20 pts but the user has to discover this on their own. Confirmation email should celebrate the points and link to `/profile`.

fieldnotes (2)

M · 100 pts fieldnotes

#26 · Article scheduled publishing — submit now, publish at future date

Authors should be able to draft an article and schedule it to publish at a specific time (newsletter cadence, embargoed announcements, weekend publishing).

S · 50 pts fieldnotes

#27 · Daily Signal bot announcement of new published articles

When new articles publish, push them to the Signal community. Today members have to remember to check fieldnotes.irregulars.io.

rss-reader (1)

S · 50 pts rss-reader

#43 · OPML import/export so users can move feeds in/out

Standard feature for any RSS reader. Lets users seed the community reader from their existing client and bail out if needed.

scoreboard (17)

XL · 400 pts scoreboard

#50 · Single sign-on session sharing across all 12 Workers via shared cookie domain

Every Worker has its own session cookie scoped to its subdomain. Members log in to scoreboard, then log in *again* to portal, *again* to events… Painful and breaks the "one community" feel.

XL · 400 pts scoreboard

#102 · RCE / command injection in any service

Any path that lets an attacker execute arbitrary code or shell commands on a worker, container, or host. Highest priority class.

XL · 400 pts scoreboard

#104 · Authentication bypass / session-token forgery

Any way to act as another user without their credentials, OR to elevate privileges to admin without admin-level OIDC claims.

XL · 400 pts scoreboard

#105 · Webhook signature bypass / scoreboard double-award

The scoreboard accepts awards via two paths: (1) GitLab MR webhook, (2) the bot API. Both rely on shared secrets / API keys. Any way to mint awards without the secret, or to bypass the unique idempotency index, qualifies.

L · 200 pts scoreboard

#51 · Fix GitLab runner: EACCES / ENOTCONN / readStream errors breaking CI deploys

The self-hosted GitLab CE runner (`H2eHrgbtW`) is randomly killing pnpm-spawned processes with three different node errors, breaking CI for at least three jobs:

L · 200 pts scoreboard

#101 · Bug Bounty Program — purple team rewards for security findings

The IrregularChat scoreboard now pays points for accepted security findings against any community service. Findings are submitted privately, triaged by an admin, and points awarded based on severity. This is the canonical reference — every other `security:` issue points back here…

L · 200 pts scoreboard

#103 · SQL injection in any D1 / PostgreSQL query

Any query that interpolates user input as a string instead of using a parameterized placeholder. D1 must use `.bind()`; PostgreSQL on signal-bot must use parameterized clients.

L · 200 pts scoreboard

#106 · Hardcoded secret / API key in repo or logs

Any production API key, JWT signing key, OIDC client secret, database credential, or webhook token committed to the repo, logged to stdout, or exposed in error responses.

L · 200 pts scoreboard

#108 · SSRF (server-side request forgery) in any worker

Any worker endpoint that fetches a URL the client controls. The new `/contribute/claim` was designed defensively (no fetch of user URL) but other paths may not be.

L · 200 pts scoreboard

#110 · IDOR / privilege escalation via predictable IDs

Any endpoint that returns or mutates data keyed on a user-supplied ID without verifying the requesting user owns that ID.

M · 100 pts scoreboard

#107 · Cross-site scripting (XSS) in any rendered template

Any user-provided string rendered into HTML without `escapeHtml`, or any `innerHTML` / `dangerouslySetInnerHTML` with attacker-controlled content.

M · 100 pts scoreboard

#109 · CSRF on any state-changing endpoint

Any POST endpoint that modifies state without checking session origin. Workers don't get CSRF protection by default; if the auth is just a session cookie + the endpoint has no Origin/Referer check or CSRF token, it's exploitable.

M · 100 pts scoreboard

#111 · Idempotency abuse to double-award points

The award system relies on a unique index on `(source_service, source_id)`. Any way to bypass it qualifies.

M · 100 pts scoreboard

#113 · Auto-disclose patched security findings after 30-day embargo

Security findings come in via `/contribute#report-bug` and stay confidential through triage and patching. Today there's no path to make them public after a reasonable embargo. Best practice (Bugcrowd, HackerOne, Google VRP) is to disclose patched findings after a window (typicall…

M · 100 pts scoreboard

#114 · Signal bot `!reportbug` command — DM intake for security findings

The bug-report intake at `/contribute#report-bug` requires opening a browser, logging in, filling a form. For power users (especially when reporting from mobile during a security poke session) a Signal bot command is dramatically lower friction. The bot already has 100+ commands …

S · 50 pts scoreboard

#100 · Resolve MR author from attrs.author_id, not body.user (avoid mis-credit)

The GitLab MR webhook at `apps/scoreboard/src/api/webhook.ts` resolves the contributor identity from `body.user.username` (and `attrs.last_commit.author.email` as fallback). Per GitLab's webhook docs, `body.user` is the **actor that triggered the event** — for a Merge Request "me…

S · 50 pts scoreboard

#112 · Admin security findings dashboard + public stats page

Admins reviewing security findings can approve them via /admin's award request queue, but there's no transparency view showing how many findings have been accepted by tier, who's earned them, or aggregate program activity. This makes it hard to (a) communicate program traction to…

search-mcp (1)

S · 50 pts search-mcp

#46 · Add `bounties_open` MCP tool

MCP-aware AI agents (Claude Code, Claude Desktop) should be able to query open bounties. Adds another tool alongside `search_community`, `ask_irregularchat`, etc.

search-service (1)

L · 200 pts search-service

#35 · Federate search across wiki, Q&A, field notes, and bounties (single result page)

Today search-service fronts SearXNG (web search). Internal community content (wiki, Q&A, articles, bounties) lives in scattered indexes. A unified result page that interleaves results from each surface would massively improve discoverability — this is the *direction* hinted at by…

searxng (1)

XS · 25 pts searxng

#49 · Pin SearXNG image to specific tag in compose.yml

Currently uses `searxng/searxng:latest` (or unpinned) — a breaking upstream release will silently break community search. Pin to a date-tagged release and document the upgrade workflow.

signal-bot (10)

L · 200 pts signal-bot

#124 · Redirect !wikiadd from archived repo to monorepo MR-based flow

`!wikiadd` is the Signal-bot command that lets a member quote a message (or `-n N` for the last N messages) and have AI extract wiki-worthy content, decide which page to update or create, and commit + push to the wiki repo. Cloudflare Pages auto-deploys to https://irregularpedia.…

M · 100 pts signal-bot

#116 · SSRF: DNS rebind hardening + Tailscale CGNAT block

`packages/shared-utils/src/bot-utils/url-scraper.ts:178` validates URLs by checking the literal hostname string against an allowlist + `isInternalHost` check, then `axios.get(url)` re-resolves DNS independently. An attacker domain returning `203.0.113.5` on the first lookup and `…

M · 100 pts signal-bot

#119 · Test coverage: !summarize and !rollup handlers

`handleSummarize` (567 lines, ~5 distinct content pipelines: PDF, YouTube, social video, HTML, plain text) and `handleRollup` (~300 lines, 8 stat queries + Outline doc) have **zero test coverage** in `apps/signal-bot/src/tests/`. The only handler test is `bcw.command.test.ts`. Re…

M · 100 pts signal-bot

#120 · Refactor: share community-rollup logic between !rollup --full and 02:00 cron

Two implementations of "build a 7-day community rollup → publish to Outline" exist in the signal-bot:

M · 100 pts signal-bot

#123 · Rollup retention + outline_url NULL semantics

Two related cleanup items from the onboarding feature's team-review:

S · 50 pts signal-bot

#115 · Prompt injection: wrap user messages in untrusted-content delimiters

`handleSummarize` (apps/signal-bot/src/src/bot/command-handler.ts:5613-5658) builds the user prompt by joining group messages as `${msg.source_name}: ${msg.message}` and dropping the result into OpenAI. A malicious member can send a message like `IGNORE PRIOR INSTRUCTIONS. Reply:…

S · 50 pts signal-bot

#118 · Inline rollup: render top contributors as proper Signal mentions

The inline rollup output (`!rollup` non-`--full`) lists contributors as plain text strings: `Top answerers: alice (3)`, `Asked by bob`. Signal renders these as plain text — no blue highlight, no name tap, no notification to alice/bob that they were credited. Looks half-finished g…

S · 50 pts signal-bot

#121 · Sanitize error_message persistence in daily_community_rollups

`apps/signal-bot/src/src/utils/community-rollup.ts:153-170` writes `err.message` verbatim into `daily_community_rollups.error_message` when the rollup generation fails. PostgreSQL/Outline errors can include connection strings, API tokens encoded in URLs, raw stack-trace fragments…

S · 50 pts signal-bot

#122 · Privacy: requireLocal flag for room-catchup AI calls (no silent OpenAI fallback)

`apps/signal-bot/src/src/utils/room-catchup.ts:97-107` calls `callAI({ ..., preferLocal: true })`. The `preferLocal` flag tries LocalAI first, then **silently falls back to OpenAI** if LocalAI is unreachable.

XS · 25 pts signal-bot

#117 · Clarify default !rollup scope in help text

`!rollup` with no flags returns the **community-wide** weekly digest. A user typing `!rollup` in `#general` reasonably expects to see what THEIR group discussed and gets cross-community stats instead. The help text at `apps/signal-bot/src/src/bot/command-handler.ts:1933` says "`!…

tak-service (2)

M · 100 pts tak-service

#36 · Geofence triggers — fire webhook when a marker enters/exits a region

TAK already tracks markers (positions). Adding geofences (named polygons stored in D1) and emitting webhooks on enter/exit makes the service useful for transport runs, perimeter alerts, training events.

S · 50 pts tak-service

#37 · Document and seed `tak-service` example geofence in README

README is empty. Add a runnable quickstart: how to deploy, how to push a marker, how to query markers — three commands with copy-paste curl.

task-exchange (1)

L · 200 pts task-exchange

#23 · Reputation decay: weekly cron drops idle reputation by 1%

Reputation should reflect recent activity, not lifetime hoarding. A small weekly decay (1% of reputation if user had no activity that week) keeps the leaderboard fresh and aligned with the scoreboard's existing weekly/monthly periods.

teamco (2)

M · 100 pts teamco

#24 · Award scoreboard points when a transport run completes

TeamCO has playbooks and transport runs but no scoreboard integration. Completing a run or coordinating a workspace is high-value community contribution and should earn points like every other action.

S · 50 pts teamco

#25 · Add `isTakConfigured()` guard before TAK Service calls

TeamCO crashes (or returns 500) when TAK Service isn't deployed. Per bot-utils convention, gate every `tak-client.ts` call behind a configuration guard.

uxs-data (1)

M · 100 pts uxs-data

#44 · Public diff viewer — show what changed in last UAS data update

uxs-data is the canonical UAS dataset. Updates happen periodically. A public `/diff/<timestamp>` page showing what records were added/changed/removed builds trust and helps consumers (wiki, signal-bot) handle migrations.

uxs-portal (1)

L · 200 pts uxs-portal

#45 · Migrate auth to Authentik OIDC PKCE via @irregularchat/shared-utils

UXS Portal pre-dates the shared-utils package. Per the README "refactor backlog" and the monorepo direction, migrate auth to the same OIDC PKCE flow used by every other Worker (task-exchange, fieldnotes, etc.). Removes a divergent auth path.