GitHub Bounties💵 paid workby ZaerCompanyheuristic score

SecureBananaLabs/bug-bounty: Bug: user creation accepts empty payloads and client-controlled ids

Visit project ↗Discussion ↗

💵 Funded work— see “Deliver it” below for how to respond.

Opportunity

AI-buildable

Traction

Creativity

The take

effort: ~1-2 months

Heuristic estimate (AI scoring not configured). SecureBananaLabs/bug-bounty: Bug: user creation accepts empty payloads and client-controlled ids shows 0 engagement on ghbounties. Buildability is inferred from the description; add an AI gateway key for a tailored read.

Deliver it

A starter prompt for Claude Code, what you'll need, and how to reach them.

Build a minimal version of "SecureBananaLabs/bug-bounty: Bug: user creation accepts empty payloads and client-controlled ids". Read the original at https://github.com/SecureBananaLabs/bug-bounty/issues/1766 for the exact requirements, then scaffold a Next.js + Tailwind app, implement the smallest valuable slice first, and ship it. (Enable AI scoring for a tailored, detailed prompt.)

Prerequisites — cost & what to learn

Node.js + a Vercel accountFree · Free (hobby tier)✓ in your stack
Part of the operator's house stack.
Any APIs/data the find depends onFree tier · Varies — enable AI scoring for a real cost read.📚 needs study
Depends on the find — enable AI scoring for specifics.
Learn it: Search getting-started ↗

Setup steps

How you'd build it

1Open the project and list its 3-5 core user-facing features.
2Scaffold a Next.js + AI Gateway app and rebuild the smallest valuable slice first.
3Wire any external data/APIs it depends on; stub what you can't access.
4Ship a thin public version and measure whether the demand signal reproduces.

Risks & moats

Traction may be launch-day spike rather than durable demand.
Heuristic scoring can't judge true novelty or competition — verify manually.

Original context

Bounty (amount on the issue). ## Description The `/api/users` creation path accepts arbitrary request bodies and forwards them directly to `createUser`. The service currently builds the user object as `{ id: `usr_${Date.now()}`, ...payload }`, so a caller can submit an `id` field and override the generated server ID. Empty or malformed payloads are also accepted because the controller does not validate `req.body`. ## Impact - Clients can create users with attacker-chosen IDs. - Empty objects can become persisted-looking user records once storage is added. - Downstream admin and profile views can receive malformed user records without `name`, `email`, or a safe role. ## Expected behavior Validate user creation input, reject unknown fields such as `id`, require a valid name and email, allow only public user roles, and keep the server-generated user ID authoritative. ## Files - `apps/api/src/controllers/userController.js` - `apps/api/src/services/userService.js` Related to #743 This issue is limited only to the creator of this issue. This means that only the issue author can attempt to solve this issue. If you would like to work on it, please create another issue with the same content