Submit a merge request that closes this issue to earn points on merge — bounties stack on the standard +40 merge_pr award. New to the repo? See the Contributing guide, and Local Development & SSO to run the app locally (cp .dev.vars.example .dev.vars && pnpm dev, after rebasing on main) and fully test your change before opening the MR.

Description

The award system relies on a unique index on (source_service, source_id). Any way to bypass it qualifies.

Likely surfaces

  • Race conditions in INSERT OR IGNORE + counter increment in apps/scoreboard/src/api/award.ts
  • Crafted source_id values that exploit SQLite collation differences (NOCASE vs default)
  • Webhook replay with subtly different MR IDs
  • The first:<user_id> idempotency key — can you trigger another first_contribution for yourself?
  • The bug_report:<request_id> source_id — collision possible if request_id wraps?

What qualifies

  • Demonstrate two point_events rows with the same logical "thing" awarding twice
  • Or a way to negate someone else's points (revoke a row you didn't earn)

--- *This is NOT a normal bounty. Do not post a public PoC or a public PR demonstrating the vulnerability. Submit findings via the bug-report form at https://score.irregulars.io/contribute#report-bug, or email security@irregularchat.com, or DM an admin on Signal. Awards are admin-determined based on impact: low=50 / medium=150 / high=300 / critical=500 / rce=750.*

Relevant files

No relevant files linked yet.

Hints

No hints yet.

Activity

No points have been awarded for this bounty yet.

Comments

No comments yet. Be the first to weigh in.

↑ Top