#105 · Webhook signature bypass / scoreboard double-award
+440 pts on merge
Claim on GitLab
Submit a merge request that closes this issue to earn points on merge — bounties stack on the standard
+40 merge_pr award. New to the repo? See the
Contributing guide,
and Local Development & SSO
to run the app locally (
cp .dev.vars.example .dev.vars && pnpm dev, after rebasing on main) and fully test your change before opening the MR.
Description
The scoreboard accepts awards via two paths: (1) GitLab MR webhook, (2) the bot API. Both rely on shared secrets / API keys. Any way to mint awards without the secret, or to bypass the unique idempotency index, qualifies.
Likely surfaces
apps/scoreboard/src/api/webhook.ts—crypto.subtle.timingSafeEqualusage, edge cases in token comparison- The unique index
idx_point_events_sourceon(source_service, source_id)— can you craftsource_idcollisions across services? - Race conditions in
INSERT OR IGNORE+ counter increment (see also: idempotency rollback race inaward.ts) - The new
/contribute/claimendpoint — can you self-award an MR you didn't author?
Includes
- Replays of webhook payloads with
Replay-Tolerancewindow abuse - Pulling a copy of
GITLAB_WEBHOOK_SECRETfrom any side channel
--- *This is NOT a normal bounty. Do not post a public PoC or a public PR demonstrating the vulnerability. Submit findings via the bug-report form at https://score.irregulars.io/contribute#report-bug, or email security@irregularchat.com, or DM an admin on Signal. Awards are admin-determined based on impact: low=50 / medium=150 / high=300 / critical=500 / rce=750.*
Relevant files
No relevant files linked yet.
Hints
No hints yet.
Activity
No points have been awarded for this bounty yet.
Comments
Sign in to join the discussion.
No comments yet. Be the first to weigh in.