#106 · Hardcoded secret / API key in repo or logs
+240 pts awarded
View on GitLab
Description
Any production API key, JWT signing key, OIDC client secret, database credential, or webhook token committed to the repo, logged to stdout, or exposed in error responses.
What to grep for
git log -pfor old commits that may have introduced + reverted a secret (still in history)- Patterns:
Bearer,glpat-,xsmtpsib-,$6$,eyJ(JWT),-----BEGIN,password=,api_key= wrangler.toml [vars]blocks (secrets should bewrangler secret put).env.examplefiles — should be templates only- Error responses — does the worker echo
process.envkeys? - CI logs — does the GitLab pipeline print env in any job?
Reward weighted by impact
- Test/dev key on a non-production service → low/medium
- Production API key still valid → high or critical depending on what it unlocks
--- *This is NOT a normal bounty. Do not post a public PoC or a public PR demonstrating the vulnerability. Submit findings via the bug-report form at https://score.irregulars.io/contribute#report-bug, or email security@irregularchat.com, or DM an admin on Signal. Awards are admin-determined based on impact: low=50 / medium=150 / high=300 / critical=500 / rce=750.*
Relevant files
No relevant files linked yet.
Hints
No hints yet.
Activity
- +150 sac earned security medium Jun 20
Comments
Sign in to join the discussion.
No comments yet. Be the first to weigh in.