#101 · Bug Bounty Program — purple team rewards for security findings
cp .dev.vars.example .dev.vars && pnpm dev, after rebasing on main) and fully test your change before opening the MR.
Description
Program
The IrregularChat scoreboard now pays points for accepted security findings against any community service. Findings are submitted privately, triaged by an admin, and points awarded based on severity. This is the canonical reference — every other security: issue points back here.
In scope
Any IrregularChat community service:
- Apps in this monorepo (signal-bot, simplex-bot, scoreboard, task-exchange, teamco, fieldnotes, event-service, career-board, community-portal, search-service, tak-service, developer-portal, wiki, qa-form, rss-reader, uxs-data, uxs-portal)
- Self-hosted infrastructure (Authentik, GitLab, Matrix, MinIO, Outline, etc.)
- The webhook + auto-award pipeline at score.irregulars.io
- Public domains:
irregulars.io,*.irregulars.io,irregularpedia.org,git.irregularchat.com
Out of scope
- Social engineering against community members
- DoS / volumetric attacks (rate-limit testing is fine; sustained DoS is not)
- Findings on third-party services we don't control
- Self-XSS that requires the victim to paste payloads into their own console
- Password / credential stuffing against accounts you don't own
- Findings already known and tracked in another
security:issue (we'll link)
Severity rubric
| Tier | Points | Examples | |---|---|---| | low | 50 | Cosmetic info disclosure, harmless open redirect, missing security headers on non-auth pages, version disclosure | | medium | 150 | CSRF on state-changing endpoints, low-privilege XSS, idempotency bypass to double-award points, IDOR exposing low-sensitivity data | | high | 300 | Authentication bypass on a non-admin route, SSRF without RCE, hardcoded secret in repo, read-only SQL injection, IDOR exposing PII | | critical | 500 | Authentication bypass to admin, mutating SQL injection, key disclosure that exposes user data, webhook signature bypass, account takeover, privilege escalation | | rce | 750 | Remote code/command execution, sandbox escape, container escape, deserialization → RCE |
Higher-impact variants of any of the above can be boosted via admin_award at admin discretion (max +500 on top).
How to submit
- Login to score.irregulars.io with your IrregularChat SSO
- Open https://score.irregulars.io/contribute#report-bug
- Fill in title (don't include sensitive details), severity, affected service
- Paste the description and proof-of-concept in the form
- Submit. The report goes into a private admin queue at /admin
Alternative channels:
- Email
security@irregularchat.com - Signal DM to a known admin
DO NOT open a public GitLab issue with PoC, paste payloads in public Signal channels, or share findings with non-admins before they're patched.
Safe harbor
Good-faith research with these constraints will not be reported or pursued:
- Don't access data beyond what's necessary to demonstrate the issue
- Don't degrade service availability for other users
- Stop at proof of concept — don't pivot, don't persist
- Give us a reasonable window to patch before disclosing publicly (90 days, negotiable)
- Don't violate applicable laws
Reward timing
- Triage: typically 1–7 days
- Award: on confirmation + after patch is shipped (or after 90 days if we haven't shipped)
- Disclosure: by mutual agreement, typically 30 days post-patch
Per-class targets
The other security: labeled issues describe specific vulnerability classes we're explicitly hunting for. They're prompts, not exhaustive — anything in scope earns points if accepted.
--- *This is NOT a normal bounty. Do not post a public PoC or a public PR demonstrating the vulnerability. Submit findings via the bug-report form at https://score.irregulars.io/contribute#report-bug, or email security@irregularchat.com, or DM an admin on Signal. Awards are admin-determined based on impact: low=50 / medium=150 / high=300 / critical=500 / rce=750.*
Relevant files
No relevant files linked yet.
Hints
No hints yet.
Activity
No points have been awarded for this bounty yet.
Comments
Sign in to join the discussion.
No comments yet. Be the first to weigh in.