Submit a merge request that closes this issue to earn points on merge — bounties stack on the standard +40 merge_pr award. New to the repo? See the Contributing guide, and Local Development & SSO to run the app locally (cp .dev.vars.example .dev.vars && pnpm dev, after rebasing on main) and fully test your change before opening the MR.

Description

Program

The IrregularChat scoreboard now pays points for accepted security findings against any community service. Findings are submitted privately, triaged by an admin, and points awarded based on severity. This is the canonical reference — every other security: issue points back here.

In scope

Any IrregularChat community service:

  • Apps in this monorepo (signal-bot, simplex-bot, scoreboard, task-exchange, teamco, fieldnotes, event-service, career-board, community-portal, search-service, tak-service, developer-portal, wiki, qa-form, rss-reader, uxs-data, uxs-portal)
  • Self-hosted infrastructure (Authentik, GitLab, Matrix, MinIO, Outline, etc.)
  • The webhook + auto-award pipeline at score.irregulars.io
  • Public domains: irregulars.io, *.irregulars.io, irregularpedia.org, git.irregularchat.com

Out of scope

  • Social engineering against community members
  • DoS / volumetric attacks (rate-limit testing is fine; sustained DoS is not)
  • Findings on third-party services we don't control
  • Self-XSS that requires the victim to paste payloads into their own console
  • Password / credential stuffing against accounts you don't own
  • Findings already known and tracked in another security: issue (we'll link)

Severity rubric

| Tier | Points | Examples | |---|---|---| | low | 50 | Cosmetic info disclosure, harmless open redirect, missing security headers on non-auth pages, version disclosure | | medium | 150 | CSRF on state-changing endpoints, low-privilege XSS, idempotency bypass to double-award points, IDOR exposing low-sensitivity data | | high | 300 | Authentication bypass on a non-admin route, SSRF without RCE, hardcoded secret in repo, read-only SQL injection, IDOR exposing PII | | critical | 500 | Authentication bypass to admin, mutating SQL injection, key disclosure that exposes user data, webhook signature bypass, account takeover, privilege escalation | | rce | 750 | Remote code/command execution, sandbox escape, container escape, deserialization → RCE |

Higher-impact variants of any of the above can be boosted via admin_award at admin discretion (max +500 on top).

How to submit

  1. Login to score.irregulars.io with your IrregularChat SSO
  2. Open https://score.irregulars.io/contribute#report-bug
  3. Fill in title (don't include sensitive details), severity, affected service
  4. Paste the description and proof-of-concept in the form
  5. Submit. The report goes into a private admin queue at /admin

Alternative channels:

  • Email security@irregularchat.com
  • Signal DM to a known admin

DO NOT open a public GitLab issue with PoC, paste payloads in public Signal channels, or share findings with non-admins before they're patched.

Safe harbor

Good-faith research with these constraints will not be reported or pursued:

  • Don't access data beyond what's necessary to demonstrate the issue
  • Don't degrade service availability for other users
  • Stop at proof of concept — don't pivot, don't persist
  • Give us a reasonable window to patch before disclosing publicly (90 days, negotiable)
  • Don't violate applicable laws

Reward timing

  • Triage: typically 1–7 days
  • Award: on confirmation + after patch is shipped (or after 90 days if we haven't shipped)
  • Disclosure: by mutual agreement, typically 30 days post-patch

Per-class targets

The other security: labeled issues describe specific vulnerability classes we're explicitly hunting for. They're prompts, not exhaustive — anything in scope earns points if accepted.

--- *This is NOT a normal bounty. Do not post a public PoC or a public PR demonstrating the vulnerability. Submit findings via the bug-report form at https://score.irregulars.io/contribute#report-bug, or email security@irregularchat.com, or DM an admin on Signal. Awards are admin-determined based on impact: low=50 / medium=150 / high=300 / critical=500 / rce=750.*

Relevant files

No relevant files linked yet.

Hints

No hints yet.

Activity

No points have been awarded for this bounty yet.

Comments

No comments yet. Be the first to weigh in.

↑ Top