#114 · Signal bot `!reportbug` command — DM intake for security findings
+140 pts on merge
Claim on GitLab
Submit a merge request that closes this issue to earn points on merge — bounties stack on the standard
+40 merge_pr award. New to the repo? See the
Contributing guide,
and Local Development & SSO
to run the app locally (
cp .dev.vars.example .dev.vars && pnpm dev, after rebasing on main) and fully test your change before opening the MR.
Description
Context
The bug-report intake at /contribute#report-bug requires opening a browser, logging in, filling a form. For power users (especially when reporting from mobile during a security poke session) a Signal bot command is dramatically lower friction. The bot already has 100+ commands and existing scoreboard integration via BOT_API_KEY.
Acceptance criteria
- [ ] New bot command
!reportbug(or!bug) — DM-only (refuses in groups for confidentiality) - [ ] Conversational flow:
- User:
!reportbug - Bot: "Severity? (low/medium/high/critical/rce/unknown)"
- User:
medium - Bot: "Affected service? (signal-bot/scoreboard/wiki/...)"
- User:
scoreboard - Bot: "Title (one line):"
- User:
IDOR on /profile/<userId> - Bot: "Describe the bug. End with a line containing only
END." - User: (multi-line description, ends with
END) - Bot: "Optional: PoC / repro steps. End with
ENDorskip." - User: ...
- Bot: "Submitted as request #234. An admin will review within a few days. https://score.irregulars.io/profile to track."
- [ ] Bot calls
POST https://score.irregulars.io/contribute/report-bugwithBOT_API_KEYheader (the scoreboard endpoint must be extended to accept bot-API-key auth in addition to session auth — see related work) - [ ] User identity resolved via Signal UUID →
users.signal_uuid→ user_id - [ ] If user not linked: bot prompts them to link via
/linkfirst (existing flow) - [ ] Conversation state stored in Redis with 10-min TTL (state machine: severity → affected → title → description → poc → confirm)
Technical hints
- Pattern reference: existing
apps/signal-bot/src/src/commands/score-command.tsfor the scoreboard API call - State machine pattern: look at
apps/signal-bot/src/src/commands/breakout-command.ts(multi-step interactive) - Scoreboard endpoint
/contribute/report-bugcurrently only accepts session auth — needs a parallel auth path:Authorization: Bearer ${BOT_API_KEY}+X-Signal-UUID: <uuid>resolves to user via the lookup - DM-only enforcement: check
message.groupIdis null
Why this matters
- The current web form requires an SSO session — useless on a tablet during travel, slow on mobile
- Power users will report 5-10x more findings if the friction is one DM
- Signal is the community's primary surface; the bot already has trust
--- *M-tier bounty (100 pts + 40 merge_pr = 140). Touches signal-bot + scoreboard, plus a small auth extension. Could be split into two MRs (auth extension first, then bot command) if a contributor prefers.*
Relevant files
No relevant files linked yet.
Hints
No hints yet.
Activity
No points have been awarded for this bounty yet.
Comments
Sign in to join the discussion.
No comments yet. Be the first to weigh in.