Submit a merge request that closes this issue to earn points on merge — bounties stack on the standard +40 merge_pr award. New to the repo? See the Contributing guide, and Local Development & SSO to run the app locally (cp .dev.vars.example .dev.vars && pnpm dev, after rebasing on main) and fully test your change before opening the MR.

Description

The scoreboard accepts awards via two paths: (1) GitLab MR webhook, (2) the bot API. Both rely on shared secrets / API keys. Any way to mint awards without the secret, or to bypass the unique idempotency index, qualifies.

Likely surfaces

  • apps/scoreboard/src/api/webhook.tscrypto.subtle.timingSafeEqual usage, edge cases in token comparison
  • The unique index idx_point_events_source on (source_service, source_id) — can you craft source_id collisions across services?
  • Race conditions in INSERT OR IGNORE + counter increment (see also: idempotency rollback race in award.ts)
  • The new /contribute/claim endpoint — can you self-award an MR you didn't author?

Includes

  • Replays of webhook payloads with Replay-Tolerance window abuse
  • Pulling a copy of GITLAB_WEBHOOK_SECRET from any side channel

--- *This is NOT a normal bounty. Do not post a public PoC or a public PR demonstrating the vulnerability. Submit findings via the bug-report form at https://score.irregulars.io/contribute#report-bug, or email security@irregularchat.com, or DM an admin on Signal. Awards are admin-determined based on impact: low=50 / medium=150 / high=300 / critical=500 / rce=750.*

Relevant files

No relevant files linked yet.

Hints

No hints yet.

Activity

No points have been awarded for this bounty yet.

Comments

No comments yet. Be the first to weigh in.

↑ Top