GitHub Bounties💵 paid workby oathisscored by google/gemini-2.5-flash

SecureBananaLabs/bug-bounty: fix: prevent admin role self-assignment during registration

Visit project ↗Discussion ↗

💵 Funded work— see “Deliver it” below for how to respond.

Opportunity

AI-buildable

Traction

Creativity

The take

effort: ~weekend

This is a bounty to fix a critical security vulnerability in a user registration process. Currently, a new user can self-assign the 'admin' role during public registration, gaining unauthorized privileges. The fix involves restricting registration to only 'client' and 'freelancer' roles, rejecting 'admin' if present in the request body.

Demand & gap

Painkillerdemand 87

Demand

Will. to pay

Gap

Buyer

Developers

The gap in what exists: This is a direct, funded security fix bounty with money on the table; the gap is the immediate need for a robust security patch.
Wedge to win: Deliver a working, tested patch for the stated bounty amount, demonstrating expertise in security and backend development.
Reputation value (worth doing free for proof) — 70/100: A merged PR on a public bug bounty project demonstrates immediate, practical security and backend development skills, enhancing portfolio credibility for future dev-tool or agency clients.
Likely monetization: fixed-price bounty

Deliver it

A starter prompt for Claude Code, what you'll need, and how to reach them.

You are an expert full-stack developer. The goal is to fix a critical security vulnerability in the user registration process of a GitHub project at `SecureBananaLabs/bug-bounty`. The existing system allows new users to self-assign the 'admin' role during public registration by submitting `role: "admin"` in the request body. Your task is to implement a server-side validation that restricts new user registration to only 'client' and 'freelancer' roles, rejecting any attempt to register with 'admin'. Focus on a Node.js/Express backend, assuming standard API routes for user registration. Implement the fix, write a corresponding unit test to verify that 'admin' role assignment is prevented, and ensure legitimate 'client' and 'freelancer' registrations still function. Deliver the solution as a clear pull request to the forked repository. Provide the specific code changes for the validation logic and the new unit test. Prioritize clarity and security best practices.

Prerequisites — cost & what to learn

GitHub accountFree · Free✓ in your stack
Standard for any GitHub-based project.

How you'd build it

1Fork the SecureBananaLabs/bug-bounty repository.
2Locate the user registration endpoint code (likely an API route in Node.js/Express, or similar).
3Implement a server-side validation check that explicitly rejects 'admin' as a role during new user registration.
4Ensure the validation allows only 'client' and 'freelancer' roles or a predefined set of public roles.
5Write a unit test to confirm the fix, specifically attempting to register with 'admin' and asserting rejection.

Risks & moats

Understanding the existing codebase and framework quickly to pinpoint the exact vulnerability.
Ensuring no side effects are introduced by the fix that might break legitimate user registration flows.
The bounty is limited to the issue creator, so the operator would need to create a duplicate issue and get approval to work on it.
The bounty amount might be low relative to the effort if the codebase is complex or undocumented.

Original context

Bounty (amount on the issue). Same as #1426, registration role restriction. Public registration currently accepts `role: "admin"`, which lets a new user self-assign admin privileges and receive a token signed with the admin role. Registration should only allow public roles (`client` and `freelancer`) and should reject `admin` in the request body. --- This issue is limited only to the creator of this issue. This means that only the issue author can attempt to solve this issue. If you would like to work on it, please create another issue with the same contents and refer to issue #743 for more information. Refs #743.