Another way to win this bounty would be to share some code with the string BackdoorPoCTwitter with the same color as the page background. If he copy and paste the code it could work. ^^
The only way that would work is if he committed copy/pasted code without reviewing it first, which is highly unlikely. Or at least I would hope it is, given that he's actually challenged people to do this.
Maybe there's a way to mislead someone about the content of a pull request (e.g., a race condition in GitHub or some other UI to git, a Unicode rendering bug, a UI that hides or obscures the content of some software comments, a bug in git's merge logic, putting the code into the source of an upstream library that he pulls into his code wholesale...).
I actually have another idea which I now think I should try to do, so I won't give the details here.
You could probably hide it pretty effectively during a normal pull request to fix an existing issue. As long as they aren't greping for the string anyhow. If he's going to use tools to to search a PR for the string, you'd have to obfuscate it. There are plenty of string and / or byte array manipulation techniques to sufficiently hide something like this as long as it's masked by an otherwise real PR.
I'd be XORing against some existing strings in the code of the same length to obfuscate the content, with some hidden method to invoke the reverse XOR to regenerate this challenge text string.
I think some array manipulation could do it if you're clever enough and don't make it obvious where all of the inputs comes from. So you'd make some particular parameters regenerate the string, and it wouldn't obviously stand out from the normal behavior.
If he's using github to merge pull requests, you might be able to hide it in the details section (2nd+ line) of one of several commit strings. People might check the commits, but github usually hides all but the first commit message line. Not sure if this would count as 'part of the software project' though.
