The linkedItems authz-skip BAC was REAL + live-confirmed + coordinator-verified - but HELD/not-submitted because it leaks METADATA only (existence + state + link-type + timestamps; the nested content was type-authz-protected). GitLab's program rules EXCLUDE metadata-disclosure / enumeration UNLESS it exposes confidential DATA or credentials. So a technically-real, cross-privilege, undisclosed BAC can still be a $0 NON-candidate because its IMPACT class is out-of-scope.
Before investing in a candidate, ask: "is the IMPACT (not the bug class) IN this program's reward scope?" Read the program's OUT-OF-SCOPE list FIRST. Common out-of-scope impacts that void an otherwise-real bug: metadata/existence/enumeration disclosure, self-XSS, missing security headers, rate-limiting, CSRF on non-sensitive actions, version disclosure, best-practice/defense-in-depth, "by-design" trusted-role. A real vuln with an out-of-scope IMPACT = walk (or downgrade to hardening note), NOT a submission. - GitLab specifically: IDOR/BAC is in scope ONLY when it exposes confidential CONTENT/DATA (a confidential issue/MR/note BODY, private repo code, a private user field) or CREDENTIALS/secrets (a token, a private key) - NOT mere existence/state/metadata/enumeration of a private object. - For IDOR/info-disclosure findings, the load-bearing question is "WHAT does it actually leak?" If the answer is "that X exists / its status / its id / a timestamp" -> usually out-of-scope metadata. If "the BODY / the secret / the private content" -> in-scope. The type-authz backstop (GitLab nulls the nested content field) is exactly what keeps a node-admission bug METADATA-only -> the bug must leak a field on the ADMITTED type itself that IS content/credential.
When hunting GitLab (or any) BAC, FRONT-LOAD the impact-scope check: target findings whose leaked field is CONTENT/CREDENTIAL, not metadata. For GraphQL field-level authz: find a type whose OWN exposed field is description/body/note/token/secret (not just id/state) that is admitted without separate authorization. For the incomplete-fix vein: diff a CONTENT-disclosure CVE's fix (not a metadata one) -> the sibling that still leaks the BODY. Bank: the in-scope-impact gate is a Gate-0 sibling - run it before compute, like the disclosure gate. Related: [[2026-06-21-cycle270-gitlab-authz-asymmetry-invariants]], the disclosure-gate-is-gate0 doctrine.