Submit a merge request that closes this issue to earn points on merge — bounties stack on the standard +40 merge_pr award. New to the repo? See the Contributing guide, and Local Development & SSO to run the app locally (cp .dev.vars.example .dev.vars && pnpm dev, after rebasing on main) and fully test your change before opening the MR.

Description

Context

Security findings come in via /contribute#report-bug and stay confidential through triage and patching. Today there's no path to make them public after a reasonable embargo. Best practice (Bugcrowd, HackerOne, Google VRP) is to disclose patched findings after a window (typically 30 or 90 days) to (a) give credit publicly to the reporter, (b) educate the community about the class of bug, (c) build program credibility.

Acceptance criteria

  • [ ] Admin can mark an award_request with source='bug_report' as patched (new column patched_at TEXT NULL on award_requests, set via /admin button)
  • [ ] Cron job (daily): for any award_request where status='approved' AND source='bug_report' AND patched_at IS NOT NULL AND datetime('now') > datetime(patched_at, '+30 days'), AND there's no GitLab issue linked yet:
  • Generate a sanitized public summary (title, severity, affected service, brief description, reporter credit if leaderboard_visible=1)
  • Create a public GitLab issue under app:scoreboard,security,security:<tier>,disclosed
  • Update the row with the new disclosed_iid INTEGER NULL so we don't re-disclose
  • [ ] Sanitization step strips: PoC, exact payloads, file paths, IP addresses, URLs containing query strings. Keeps: title (admin can rewrite via review_note), severity, affected_service, generic description.
  • [ ] Admin UI on /admin/security shows "Pending disclosure (post-embargo)" so admin can preview/edit before the cron creates the issue, OR opt to mark the row disclosure_skip=1
  • [ ] Reporter is notified via Signal (if linked) when their finding is publicly disclosed

Technical hints

  • New migration adds patched_at, disclosed_iid, disclosure_skip columns
  • Cron schedule: [triggers] crons = ["0 5 * * *"] daily at 05:00 UTC (after the existing 04:00 weekly rollup)
  • GitLab create-issue requires api scope on GITLAB_API_TOKEN (already has it)
  • Use the same admin-comment pattern from webhook.ts postMrMissComment for the bot Signal notification

Embargo length

30 days is a reasonable default. Admin can extend per-finding by editing patched_at in D1 directly. Don't make it configurable in UI yet — KISS.

--- *M-tier bounty (100 pts + 40 merge_pr = 140). Touches D1 schema, /admin UI, cron, GitLab API, and notification — solid mid-size feature.*

Relevant files

No relevant files linked yet.

Hints

No hints yet.

Activity

No points have been awarded for this bounty yet.

Comments

No comments yet. Be the first to weigh in.

↑ Top