57open
56unclaimed
7575points up for grabs
XS · 25 S · 50 M · 100 L · 200 XL · 400

bcw-mcp (1)

S · 50 pts bcw-mcp

#47 · Add `bcw_search` tool to find BCTs by free-text description

Today the BCW MCP exposes the canon and recommendations but a user has to know which BCT they want. A simple text-search tool over BCT names and descriptions makes the canon discoverable.

career-board (2)

M · 100 pts career-board

#31 · Salary range field + filter (with member opt-out)

Job posts have title/description but no structured salary. Members can't filter by compensation. Add a typed salary range with sane filtering and let posters opt out (some military/contracting roles can't disclose).

S · 50 pts career-board

#32 · OPSEC screenshot redaction — auto-blur job poster's name in shareable images

There's already an OPSEC-SCREENSHOT-PROTECTION.md file in `apps/career-board/docs/`. The implementation is missing. Generate `share-image` for a job post that blurs/anonymizes the poster's name.

developer-portal (1)

M · 100 pts developer-portal

#38 · Generate per-app API client snippets from wrangler.toml routes

Developers don't know what endpoints each Worker exposes without reading source. Build a tool that ingests each app's `wrangler.toml` and source files and emits a one-page API reference with copy-paste TypeScript / curl examples.

event-service (2)

M · 100 pts event-service

#28 · iCal feed per-user (`/ical/<token>.ics`) for personal calendar sync

Members RSVP to events but can't easily get them in Apple/Google Calendar. A signed iCal feed token lets users subscribe to their own events.

S · 50 pts event-service

#29 · Award `share_event` points when an event is forwarded via Signal bot

`share_event` is in the scoreboard CHECK constraint (5 pts) but no service awards it. Wire event-service to the bot's `!share` path so members get credit for amplifying events.

fieldnotes (2)

M · 100 pts fieldnotes

#26 · Article scheduled publishing — submit now, publish at future date

Authors should be able to draft an article and schedule it to publish at a specific time (newsletter cadence, embargoed announcements, weekend publishing).

S · 50 pts fieldnotes

#27 · Daily Signal bot announcement of new published articles

When new articles publish, push them to the Signal community. Today members have to remember to check fieldnotes.irregulars.io.

rss-reader (1)

S · 50 pts rss-reader

#43 · OPML import/export so users can move feeds in/out

Standard feature for any RSS reader. Lets users seed the community reader from their existing client and bail out if needed.

scoreboard (16)

XL · 400 pts scoreboard

#50 · Single sign-on session sharing across all 12 Workers via shared cookie domain

Every Worker has its own session cookie scoped to its subdomain. Members log in to scoreboard, then log in *again* to portal, *again* to events… Painful and breaks the "one community" feel.

XL · 400 pts scoreboard

#102 · RCE / command injection in any service

Any path that lets an attacker execute arbitrary code or shell commands on a worker, container, or host. Highest priority class.

XL · 400 pts scoreboard

#104 · Authentication bypass / session-token forgery

Any way to act as another user without their credentials, OR to elevate privileges to admin without admin-level OIDC claims.

XL · 400 pts scoreboard

#105 · Webhook signature bypass / scoreboard double-award

The scoreboard accepts awards via two paths: (1) GitLab MR webhook, (2) the bot API. Both rely on shared secrets / API keys. Any way to mint awards without the secret, or to bypass the unique idempotency index, qualifies.

L · 200 pts scoreboard

#101 · Bug Bounty Program — purple team rewards for security findings

The IrregularChat scoreboard now pays points for accepted security findings against any community service. Findings are submitted privately, triaged by an admin, and points awarded based on severity. This is the canonical reference — every other `security:` issue points back here…

L · 200 pts scoreboard

#103 · SQL injection in any D1 / PostgreSQL query

Any query that interpolates user input as a string instead of using a parameterized placeholder. D1 must use `.bind()`; PostgreSQL on signal-bot must use parameterized clients.

L · 200 pts scoreboard

#108 · SSRF (server-side request forgery) in any worker

Any worker endpoint that fetches a URL the client controls. The new `/contribute/claim` was designed defensively (no fetch of user URL) but other paths may not be.

L · 200 pts scoreboard

#110 · IDOR / privilege escalation via predictable IDs

Any endpoint that returns or mutates data keyed on a user-supplied ID without verifying the requesting user owns that ID.

M · 100 pts scoreboard

#107 · Cross-site scripting (XSS) in any rendered template

Any user-provided string rendered into HTML without `escapeHtml`, or any `innerHTML` / `dangerouslySetInnerHTML` with attacker-controlled content.

M · 100 pts scoreboard

#109 · CSRF on any state-changing endpoint

Any POST endpoint that modifies state without checking session origin. Workers don't get CSRF protection by default; if the auth is just a session cookie + the endpoint has no Origin/Referer check or CSRF token, it's exploitable.

M · 100 pts scoreboard

#111 · Idempotency abuse to double-award points

The award system relies on a unique index on `(source_service, source_id)`. Any way to bypass it qualifies.

M · 100 pts scoreboard

#113 · Auto-disclose patched security findings after 30-day embargo

Security findings come in via `/contribute#report-bug` and stay confidential through triage and patching. Today there's no path to make them public after a reasonable embargo. Best practice (Bugcrowd, HackerOne, Google VRP) is to disclose patched findings after a window (typicall…

M · 100 pts scoreboard

#114 · Signal bot `!reportbug` command — DM intake for security findings

The bug-report intake at `/contribute#report-bug` requires opening a browser, logging in, filling a form. For power users (especially when reporting from mobile during a security poke session) a Signal bot command is dramatically lower friction. The bot already has 100+ commands …

S · 50 pts scoreboard

#19 · Surface user's lifetime bounty count + total bounty points on profile

Profile page shows points/badges but not bounty-specific stats. Add a "Bounties claimed" widget so contributors can show off their PR work.

S · 50 pts scoreboard

#112 · Admin security findings dashboard + public stats page

Admins reviewing security findings can approve them via /admin's award request queue, but there's no transparency view showing how many findings have been accepted by tier, who's earned them, or aggregate program activity. This makes it hard to (a) communicate program traction to…

XS · 25 pts scoreboard

#20 · Add /bounties to the mobile bottom nav

/bounties is in the desktop nav and dropdown but missing from `buildBottomNav` in the mobile layout. Easy fix.

search-service (1)

L · 200 pts search-service

#35 · Federate search across wiki, Q&A, field notes, and bounties (single result page)

Today search-service fronts SearXNG (web search). Internal community content (wiki, Q&A, articles, bounties) lives in scattered indexes. A unified result page that interleaves results from each surface would massively improve discoverability — this is the *direction* hinted at by…

signal-bot (6)

L · 200 pts signal-bot

#14 · Multi-tenant config: load tenant-specific env from `tenants/<id>/.env`

Forks of the bot can't easily run multiple Signal accounts on one host. A multi-tenant layout (`tenants/<tenant_id>/.env`, `tenants/<tenant_id>/state/`) would let one container serve N communities with isolated state, sharing only the binary. This is foundational for the fork-fri…

M · 100 pts signal-bot

#13 · Add !bounty command to surface open feature bounties in Signal

The community-facing bot should surface open bounties so contributors can claim them without leaving Signal. Today, bounties live only on score.irregulars.io and GitLab — adding a `!bounty` command closes that loop and brings the bot ↔ scoreboard parity in line with `!jobs`, `!ev…

M · 100 pts signal-bot

#119 · Test coverage: !summarize and !rollup handlers

`handleSummarize` (567 lines, ~5 distinct content pipelines: PDF, YouTube, social video, HTML, plain text) and `handleRollup` (~300 lines, 8 stat queries + Outline doc) have **zero test coverage** in `apps/signal-bot/src/tests/`. The only handler test is `bcw.command.test.ts`. Re…

In progress: Raymond Huff
M · 100 pts signal-bot

#120 · Refactor: share community-rollup logic between !rollup --full and 02:00 cron

Two implementations of "build a 7-day community rollup → publish to Outline" exist in the signal-bot:

S · 50 pts signal-bot

#15 · Show bot's own scoreboard rank in `!score` output

`!score` already returns a member's points. Add a one-liner showing the bot's leaderboard rank within the community to drive engagement ("You're #14 of 312, 280 points behind #13").

? · 0 pts signal-bot

#147 · Community rollup Outline doc retention (update-in-place or monthly archival)

Part A of #123 (part B — the `outline_url` nullable schema fix — shipped in !29). This tracks the **Outline doc retention** half, which is a behavior change and needs a strategy decision, so it was split out.

simplex-bot (8)

L · 200 pts simplex-bot

#167 · SimpleX full Q&A lifecycle + question-reminder scheduler

SimpleX has `!question`/`!answer`/`!questions`/`!vote`. Missing the resolution, clarification, and cross-group verbs — and the scheduler that DMs askers about unsolved questions.

M · 100 pts simplex-bot

#16 · Port `!bounty`, `!score`, `!leaderboard` commands from Signal bot

SimpleX bot is being built as a port of the Signal bot. Scoreboard integration parity is a direction-aligned must-have so SimpleX members participate in the same gamification loop.

M · 100 pts simplex-bot

#162 · SimpleX admin user lifecycle: !gtg !pending !remove !reactivate

SimpleX has `!account`/`!audit` but no member-approval workflow.

M · 100 pts simplex-bot

#163 · SimpleX group admin lifecycle: !addgroup !removegroup !groupdestroy !refreshgroups + categories

SimpleX lists/creates/joins/adds-to groups but lacks admin listing management.

M · 100 pts simplex-bot

#164 · SimpleX dormant-member tracking !dormant + hourly auto-removal scheduler

Signal tracks inactivity tiers and auto-removes 90+-day-silent members hourly. SimpleX has neither.

M · 100 pts simplex-bot

#165 · SimpleX onboarding drip DMs + !req/!vouch + !leave

Signal runs a 5-DM drip over 6 days for fresh linkers plus intro-template commands. SimpleX has `!request`/`!invite` but no drip and no `!leave`.

M · 100 pts simplex-bot

#169 · SimpleX /api/event-announce + /api/job-announce receivers + safety-net poller

Workers push announcements to the bot via webhooks, backed by a poller that catches missed deliveries (a fire-and-forget webhook alone silently dropped Signal event broadcasts for 36 days once). SimpleX's express app exposes only `/health`.

S · 50 pts simplex-bot

#17 · Add `isScoreboardConfigured()` guard and graceful fallback

Per the bot-utils convention, every external service client should have an `is*Configured()` guard. SimpleX bot needs one for scoreboard so forks without a scoreboard get a clean "This server doesn't have points enabled" instead of a stack trace.

tak-service (1)

M · 100 pts tak-service

#36 · Geofence triggers — fire webhook when a marker enters/exits a region

TAK already tracks markers (positions). Adding geofences (named polygons stored in D1) and emitting webhooks on enter/exit makes the service useful for transport runs, perimeter alerts, training events.

task-exchange (2)

L · 200 pts task-exchange

#23 · Reputation decay: weekly cron drops idle reputation by 1%

Reputation should reflect recent activity, not lifetime hoarding. A small weekly decay (1% of reputation if user had no activity that week) keeps the leaderboard fresh and aligned with the scoreboard's existing weekly/monthly periods.

M · 100 pts task-exchange

#21 · Auto-create a Task Exchange task when a feature bounty is opened

Bounties are GitLab issues. Tasks are reputation-currency items. Today they're disconnected. Wiring them together means contributors who find a bounty can also see it in `task.irregulars.io` with the points pre-set, and Task Exchange's escrow/reputation can layer on top of GitLab…

teamco (1)

M · 100 pts teamco

#24 · Award scoreboard points when a transport run completes

TeamCO has playbooks and transport runs but no scoreboard integration. Completing a run or coordinating a workspace is high-value community contribution and should earn points like every other action.

uxs-data (1)

M · 100 pts uxs-data

#44 · Public diff viewer — show what changed in last UAS data update

uxs-data is the canonical UAS dataset. Updates happen periodically. A public `/diff/<timestamp>` page showing what records were added/changed/removed builds trust and helps consumers (wiki, signal-bot) handle migrations.

uxs-portal (1)

L · 200 pts uxs-portal

#45 · Migrate auth to Authentik OIDC PKCE via @irregularchat/shared-utils

UXS Portal pre-dates the shared-utils package. Per the README "refactor backlog" and the monorepo direction, migrate auth to the same OIDC PKCE flow used by every other Worker (task-exchange, fieldnotes, etc.). Removes a divergent auth path.

wiki (11)

L · 200 pts wiki

#61 · Wiki page: GI Bill Complete Guide

A community-identified content gap on Irregularpedia. Listed at https://irregularpedia.org/community/wanted-pages/.

L · 200 pts wiki

#62 · Wiki page: VA Claims Process

A community-identified content gap on Irregularpedia. Listed at https://irregularpedia.org/community/wanted-pages/.

L · 200 pts wiki

#63 · Wiki page: MOS to Civilian Translation

A community-identified content gap on Irregularpedia. Listed at https://irregularpedia.org/community/wanted-pages/.

L · 200 pts wiki

#72 · Wiki page: SOC Tooling Overview

A community-identified content gap on Irregularpedia. Listed at https://irregularpedia.org/community/wanted-pages/.

L · 200 pts wiki

#86 · Wiki page: Kubernetes Setup

A community-identified content gap on Irregularpedia. Listed at https://irregularpedia.org/community/wanted-pages/.

M · 100 pts wiki

#64 · Wiki page: Transition Timeline & Checklist

A community-identified content gap on Irregularpedia. Listed at https://irregularpedia.org/community/wanted-pages/.

M · 100 pts wiki

#65 · Wiki page: Security Clearance Guide

A community-identified content gap on Irregularpedia. Listed at https://irregularpedia.org/community/wanted-pages/.

M · 100 pts wiki

#66 · Wiki page: OCONUS Transition Resources

A community-identified content gap on Irregularpedia. Listed at https://irregularpedia.org/community/wanted-pages/.

M · 100 pts wiki

#68 · Wiki page: Veteran Benefits Overview

A community-identified content gap on Irregularpedia. Listed at https://irregularpedia.org/community/wanted-pages/.

S · 50 pts wiki

#40 · Auto-generate "Recent commits to this page" footer from GitLab API

Wiki shows lastUpdated date but not who/why. Add a small "Recent changes" widget under each page that lists the last 5 commits to that file.

S · 50 pts wiki

#67 · Wiki page: Reserve & Guard Transition

A community-identified content gap on Irregularpedia. Listed at https://irregularpedia.org/community/wanted-pages/.

How to claim a bounty

First time? Get set up

  1. Sign in to git.juntogroups.org with your IrregularChat SSO.
  2. Create a Personal Access Token (PAT) at Settings → Access Tokens with the write_repository scope. You'll use it as your password when cloning/pushing over HTTPS.
  3. Clone the repo: git clone https://git.juntogroups.org/irregulars/irregularchat-monorepo.git
  4. On your Scoreboard profile, set your GitLab username so merges auto-credit you, and link your Signal account (+50 pts on first link).

Claim a bounty

  1. Pick an unclaimed issue and comment /assign me on GitLab.
  2. Branch off main, implement the feature against the acceptance criteria.
  3. Test it locally before opening the MR: after rebasing on main, run cp .dev.vars.example .dev.vars && pnpm dev from the app dir (→ localhost:8787) and verify against the acceptance criteria. SSO login works with no secret — full walkthrough: Local Development & SSO.
  4. Open a merge request with Closes #<iid> in the description.
  5. On merge to main, the GitLab webhook auto-awards your points and announces it to the community.

The card shows the bounty tier · merge_pr (+40) is awarded on top. Additional bonuses stack automatically:

  • +10 wiki_edit if the MR touches apps/wiki/src/content/docs/**
  • +50 first_contribution on your first ever merged PR (one-time)

Points land when your GitLab username (set on your profile) or commit email matches your Scoreboard account. For the full walkthrough see the Contributing guide, or recover a missed award at /contribute/claim.

↑ Top