security-bounty-hunter
Use when the goal is practical vulnerability discovery for responsible disclosure or bounty submission — focuses on remotely reachable, exploitable issues that qualify for real reports rather than a broad best-practices review
Best use case
security-bounty-hunter is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Use when the goal is practical vulnerability discovery for responsible disclosure or bounty submission — focuses on remotely reachable, exploitable issues that qualify for real reports rather than a broad best-practices review
Teams using security-bounty-hunter should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/security-bounty-hunter/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How security-bounty-hunter Compares
| Feature / Agent | security-bounty-hunter | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Use when the goal is practical vulnerability discovery for responsible disclosure or bounty submission — focuses on remotely reachable, exploitable issues that qualify for real reports rather than a broad best-practices review
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Security Bounty Hunter Hunt for exploitable, bounty-worthy security issues. Bias toward remotely reachable, user-controlled attack paths — discard patterns that bounty platforms routinely reject as informative or out of scope. ## When to Use - Scanning a repository for exploitable vulnerabilities - Preparing a Huntr, HackerOne, or similar bounty submission - Triage where the question is "does this actually qualify for a payout?" rather than "is this theoretically unsafe?" ## When NOT to Use For broad best-practices audits, use [`security-scan`](../security-scan/SKILL.md) or [`evaluate-repository`](../evaluate-repository/SKILL.md) instead. ## In-Scope Patterns | Pattern | CWE | Typical impact | |---------|-----|----------------| | SSRF through user-controlled URLs | CWE-918 | internal network access, cloud metadata theft | | Auth bypass in middleware or API guards | CWE-287 | unauthorized account or data access | | Remote deserialization or upload-to-RCE | CWE-502 | code execution | | SQL injection in reachable endpoints | CWE-89 | data exfiltration, auth bypass | | Command injection in request handlers | CWE-78 | code execution | | Path traversal in file-serving paths | CWE-22 | arbitrary file read or write | | Auto-triggered XSS | CWE-79 | session theft, admin compromise | ## Usually Out of Scope (skip unless program says otherwise) - Local-only `pickle.loads`, `eval()` with no remote path - `shell=True` on fully hardcoded commands - Missing security headers alone - Generic rate-limiting without exploit impact - Self-XSS requiring victim to paste code manually - Demo, example, or test-only code ## Workflow 1. **Check scope** — program rules, SECURITY.md, disclosure channel, exclusions 2. **Find real entrypoints** — HTTP handlers, uploads, webhooks, background jobs, parsers 3. **Run static triage** — use `grep` / `powershell` for pattern scanning; treat as triage input only 4. **Read the real code path end to end** — follow data from entrypoint to sink 5. **Prove user control reaches a meaningful sink** 6. **Confirm exploitability** with the smallest safe PoC 7. **Check for duplicates** — existing advisories, CVEs, open tickets ## Static Triage Patterns ```powershell # Find potential injection sinks grep -r "exec\|eval\|system\|popen\|subprocess" src/ --include="*.py" -n grep -r "shell=True" src/ --include="*.py" -n # Find potential SSRF grep -r "requests.get\|urllib\|fetch\|axios" src/ --include="*.py" --include="*.ts" -n # Find potential SQL injection grep -r "f\"SELECT\|f'SELECT\|\+ .* WHERE\|string.*query" src/ -n ``` Then manually filter: drop tests, demos, fixtures, vendored code, non-reachable paths. ## Report Structure ```markdown ## Description [What the vulnerability is and why it matters] ## Vulnerable Code [File path, line range, and a small snippet] ## Proof of Concept [Minimal working request or script] ## Impact [What the attacker can achieve] ## Affected Version [Version, commit, or deployment target tested] ``` ## Quality Gate Before submitting, confirm all of: - [ ] Code path is reachable from a real user or network boundary - [ ] Input is genuinely user-controlled - [ ] Sink is meaningful and exploitable - [ ] PoC works - [ ] Issue is not already covered by an advisory, CVE, or open ticket - [ ] Target is in scope for the bounty program ## See Also - [security-scan](../security-scan/SKILL.md) — OWASP Top 10 + STRIDE broad audit - [evaluate-repository](../evaluate-repository/SKILL.md) — scored security posture review - [input-validation](../input-validation/SKILL.md) — sanitize and validate user inputs
Related Skills
security-audit
Use when a codebase needs a formal security audit beyond a quick scan — applies OWASP Top 10 and STRIDE threat modeling from a CSO perspective to surface systemic vulnerabilities.
security-scan
Use when you want a quick security pass on code changes or dependencies — checks OWASP Top 10 patterns, runs dependency audits, and surfaces critical vulnerabilities with targeted fixes.
pr-security-review
Use when reviewing a pull request for security issues — automatically analyzes the diff for vulnerabilities, hardcoded secrets, injection risks, and broken access control before merging
gha-security-review
Use when reviewing GitHub Actions workflows for exploitable vulnerabilities — finds pwn-request patterns, expression injection, credential escalation, config poisoning, and supply chain risks, and reports only HIGH and MEDIUM confidence findings with concrete attack paths.
verification-before-completion
Use before claiming any task is done — run the exact command that proves the fix works, read the output, and only then report success.
using-git-worktrees
Use when you need multiple branches checked out at once — create isolated working directories for parallel development without cloning the repository repeatedly
triage
Use when a single issue needs structured triage — classify it, reproduce if needed, request missing information, and leave a durable brief or close-out note in the tracker.
to-issues
Use when a plan, spec, or PRD must become an actionable backlog — break it into thin dependency-aware issues that each deliver a verifiable vertical slice
sprint-workflow
Use when starting a new feature, refactor, or multi-step dev task — runs the full sprint cycle (Think → Plan → Build → Review → Test → Ship → Monitor) using Copilot CLI's plan/autopilot modes.
sprint-retro
Use at the end of a sprint to run a data-driven retrospective — analyzes session history and git metrics to surface what shipped, what slowed you down, and concrete improvements.
release
Use when a sprint or feature is complete and ready to ship — tags the version, generates GitHub Release notes, runs rollout or smoke verification, and publishes to npm/PyPI/Docker registries.
prompt-optimizer
Use when a rough prompt, vague idea, or task description needs to become a finished copy-pasteable prompt for a chat-based LLM - rewrite it into one ready-to-send prompt with no blanks, no placeholders, and a clear output shape.