[New Rule] SpiceDB: Reproduce A High-Severity Failure & Write a Detection Rule

[Lyndon-prequel]

Description

SpiceDB powers fine-grained access control — but subtle misconfigurations or known bugs can block critical permissions.

Your task: Reproduce a high-severity failure in a recent version of SpiceDB and write a detection rule that reliably identifies the issue in production environments.

✅ You must:

1. Reproduce the failure scenario.
2. Share a minimal, working reproduction (e.g., Helm, Docker Compose, etc.).
3. Write a CRE-format detection rule for preq.

📦 Deliverables:

• Reproduction setup and clear README
  • create a private repo and invite @tonymeehan & @Lyndon-prequel)
• PR containing
  • the new CRE rule
  • example logs in test.log.
  • changes to tags and categories
• Link to your rule in the CRE playground.
• Provide a short demo video of your reproduction and the changes in your pull request

Note: The first viable solution for this bounty will be accepted and the bounty will be closed

/bounty $250

Rule

No response

Related issues or PRs

No response

References

No response

Redacted Example Data

No response

[algora-pbc]

💎 $250 bounty • Prequel

Steps to solve:

1. Star the repos: https://github.com/prequel-dev/preq + https://github.com/prequel-dev/cre
2. Start working: Comment /attempt #60 with your implementation plan.

• If this is a generic bounty, we suggest you specify the specific issue you plan to work. There are cases where we will award multiple bounties.

3. Submit work: Create a pull request including /claim #60 in the PR body to claim the bounty
4. Receive payment: 100% of the bounty is received 2-5 days post-reward. Make sure you are eligible for payouts

❗ Important guidelines:

• To claim a bounty, you need to provide a short demo video of your changes in your pull request
• If anything is unclear, ask for clarification before starting as this will help avoid potential rework
• Low quality AI PRs will not receive review and will be closed
• Do not ask to be assigned unless you've contributed before

Thank you for contributing to prequel-dev/cre!

Attempt	Started (UTC)	Solution	Actions
🟢 @amanycodes	Jun 06, 2025, 01:55:24 AM	WIP
🟢 @Evad0	Jun 06, 2025, 04:37:31 AM	#61	Reward
🟢 @SaikiranSurapalli17	Jun 06, 2025, 05:22:24 AM	#64	Reward

[amanycodes]

/attempt #60

I'm planning on reproducing Window Race Condition where Rapid schema updates create auth Bypass.

• Will setup docker environment
• Introduce concurrent schema changes and permission checks
• Will capture the moments when permission grants slip through during shema transitions
• CRE for flagging these suspicious timing patterns between schema updates and unexpected access grants.

[Evad0]

/attempt #60

[SaikiranSurapalli17]

/attempt #60

[algora-pbc]

🎉 The pull request of @SaikiranSurapalli17 has been merged. The bounty can be rewarded here

cc @Lyndon-prequel

[algora-pbc]

🎉🎈 @SaikiranSurapalli17 has been awarded $250 by Prequel! 🎈🎊