Description

Any production API key, JWT signing key, OIDC client secret, database credential, or webhook token committed to the repo, logged to stdout, or exposed in error responses.

What to grep for

  • git log -p for old commits that may have introduced + reverted a secret (still in history)
  • Patterns: Bearer , glpat-, xsmtpsib-, $6$, eyJ (JWT), -----BEGIN, password=, api_key=
  • wrangler.toml [vars] blocks (secrets should be wrangler secret put)
  • .env.example files — should be templates only
  • Error responses — does the worker echo process.env keys?
  • CI logs — does the GitLab pipeline print env in any job?

Reward weighted by impact

  • Test/dev key on a non-production service → low/medium
  • Production API key still valid → high or critical depending on what it unlocks

--- *This is NOT a normal bounty. Do not post a public PoC or a public PR demonstrating the vulnerability. Submit findings via the bug-report form at https://score.irregulars.io/contribute#report-bug, or email security@irregularchat.com, or DM an admin on Signal. Awards are admin-determined based on impact: low=50 / medium=150 / high=300 / critical=500 / rce=750.*

Relevant files

No relevant files linked yet.

Hints

No hints yet.

Activity

  • +150 sac earned security medium Jun 20

Comments

No comments yet. Be the first to weigh in.

↑ Top