seladev_os // bounty.exe·v2.0·6 live

<security · open>

Pinned 2FA on UTHM CourseReg access (WebAuthn)

issuer · @syamir.fskm

Add WebAuthn (passkey) as the second factor for UTHM CourseReg access (mock target for the bounty). Users should be able to register a passkey on first claim and use it on subsequent claims. Fall back to TOTP for users on older devices.

<rubric>

  • WebAuthn registration flow ships behind a feature flag
  • Existing TOTP flow continues to work
  • Rate limiting and lockout policies in place
  • Documented threat model in the repo

<how claims are judged>

A security review by the UTHM Forge Security circle. We pay if the PR ships, the rubric holds, and the threat model is reasonable.

<submission format>

curl -X POST https://api.uthm-forge.dev/bounties/5/claim \
  -H "Authorization: Bearer $UTHM_TOKEN" \
  -d '{"repo":"github.com/you/passkey-coursereg","pr":9}'