#113 · Auto-disclose patched security findings after 30-day embargo
cp .dev.vars.example .dev.vars && pnpm dev, after rebasing on main) and fully test your change before opening the MR.
Description
Context
Security findings come in via /contribute#report-bug and stay confidential through triage and patching. Today there's no path to make them public after a reasonable embargo. Best practice (Bugcrowd, HackerOne, Google VRP) is to disclose patched findings after a window (typically 30 or 90 days) to (a) give credit publicly to the reporter, (b) educate the community about the class of bug, (c) build program credibility.
Acceptance criteria
- [ ] Admin can mark an
award_requestwithsource='bug_report'as patched (new columnpatched_at TEXT NULLonaward_requests, set via /admin button) - [ ] Cron job (daily): for any
award_requestwherestatus='approved' AND source='bug_report' AND patched_at IS NOT NULL AND datetime('now') > datetime(patched_at, '+30 days'), AND there's no GitLab issue linked yet: - Generate a sanitized public summary (title, severity, affected service, brief description, reporter credit if
leaderboard_visible=1) - Create a public GitLab issue under
app:scoreboard,security,security:<tier>,disclosed - Update the row with the new
disclosed_iid INTEGER NULLso we don't re-disclose - [ ] Sanitization step strips: PoC, exact payloads, file paths, IP addresses, URLs containing query strings. Keeps: title (admin can rewrite via review_note), severity, affected_service, generic description.
- [ ] Admin UI on
/admin/securityshows "Pending disclosure (post-embargo)" so admin can preview/edit before the cron creates the issue, OR opt to mark the rowdisclosure_skip=1 - [ ] Reporter is notified via Signal (if linked) when their finding is publicly disclosed
Technical hints
- New migration adds
patched_at,disclosed_iid,disclosure_skipcolumns - Cron schedule:
[triggers] crons = ["0 5 * * *"]daily at 05:00 UTC (after the existing 04:00 weekly rollup) - GitLab create-issue requires
apiscope onGITLAB_API_TOKEN(already has it) - Use the same admin-comment pattern from
webhook.tspostMrMissCommentfor the bot Signal notification
Embargo length
30 days is a reasonable default. Admin can extend per-finding by editing patched_at in D1 directly. Don't make it configurable in UI yet — KISS.
--- *M-tier bounty (100 pts + 40 merge_pr = 140). Touches D1 schema, /admin UI, cron, GitLab API, and notification — solid mid-size feature.*
Relevant files
No relevant files linked yet.
Hints
No hints yet.
Activity
No points have been awarded for this bounty yet.
Comments
Sign in to join the discussion.
No comments yet. Be the first to weigh in.