security-bounty-hunter

Use when the goal is practical vulnerability discovery for responsible disclosure or bounty submission — focuses on remotely reachable, exploitable issues that qualify for real reports rather than a broad best-practices review

8 stars

Best use case

security-bounty-hunter is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Use when the goal is practical vulnerability discovery for responsible disclosure or bounty submission — focuses on remotely reachable, exploitable issues that qualify for real reports rather than a broad best-practices review

Teams using security-bounty-hunter should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/security-bounty-hunter/SKILL.md --create-dirs "https://raw.githubusercontent.com/drvoss/everything-copilot-cli/main/skills/security/security-bounty-hunter/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/security-bounty-hunter/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How security-bounty-hunter Compares

Feature / Agentsecurity-bounty-hunterStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Use when the goal is practical vulnerability discovery for responsible disclosure or bounty submission — focuses on remotely reachable, exploitable issues that qualify for real reports rather than a broad best-practices review

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Security Bounty Hunter

Hunt for exploitable, bounty-worthy security issues. Bias toward remotely reachable, user-controlled attack paths — discard patterns that bounty platforms routinely reject as informative or out of scope.

## When to Use

- Scanning a repository for exploitable vulnerabilities
- Preparing a Huntr, HackerOne, or similar bounty submission
- Triage where the question is "does this actually qualify for a payout?" rather than "is this theoretically unsafe?"

## When NOT to Use

For broad best-practices audits, use [`security-scan`](../security-scan/SKILL.md) or [`evaluate-repository`](../evaluate-repository/SKILL.md) instead.

## In-Scope Patterns

| Pattern | CWE | Typical impact |
|---------|-----|----------------|
| SSRF through user-controlled URLs | CWE-918 | internal network access, cloud metadata theft |
| Auth bypass in middleware or API guards | CWE-287 | unauthorized account or data access |
| Remote deserialization or upload-to-RCE | CWE-502 | code execution |
| SQL injection in reachable endpoints | CWE-89 | data exfiltration, auth bypass |
| Command injection in request handlers | CWE-78 | code execution |
| Path traversal in file-serving paths | CWE-22 | arbitrary file read or write |
| Auto-triggered XSS | CWE-79 | session theft, admin compromise |

## Usually Out of Scope (skip unless program says otherwise)

- Local-only `pickle.loads`, `eval()` with no remote path
- `shell=True` on fully hardcoded commands
- Missing security headers alone
- Generic rate-limiting without exploit impact
- Self-XSS requiring victim to paste code manually
- Demo, example, or test-only code

## Workflow

1. **Check scope** — program rules, SECURITY.md, disclosure channel, exclusions
2. **Find real entrypoints** — HTTP handlers, uploads, webhooks, background jobs, parsers
3. **Run static triage** — use `grep` / `powershell` for pattern scanning; treat as triage input only
4. **Read the real code path end to end** — follow data from entrypoint to sink
5. **Prove user control reaches a meaningful sink**
6. **Confirm exploitability** with the smallest safe PoC
7. **Check for duplicates** — existing advisories, CVEs, open tickets

## Static Triage Patterns

```powershell
# Find potential injection sinks
grep -r "exec\|eval\|system\|popen\|subprocess" src/ --include="*.py" -n
grep -r "shell=True" src/ --include="*.py" -n

# Find potential SSRF
grep -r "requests.get\|urllib\|fetch\|axios" src/ --include="*.py" --include="*.ts" -n

# Find potential SQL injection
grep -r "f\"SELECT\|f'SELECT\|\+ .* WHERE\|string.*query" src/ -n
```

Then manually filter: drop tests, demos, fixtures, vendored code, non-reachable paths.

## Report Structure

```markdown
## Description
[What the vulnerability is and why it matters]

## Vulnerable Code
[File path, line range, and a small snippet]

## Proof of Concept
[Minimal working request or script]

## Impact
[What the attacker can achieve]

## Affected Version
[Version, commit, or deployment target tested]
```

## Quality Gate

Before submitting, confirm all of:

- [ ] Code path is reachable from a real user or network boundary
- [ ] Input is genuinely user-controlled
- [ ] Sink is meaningful and exploitable
- [ ] PoC works
- [ ] Issue is not already covered by an advisory, CVE, or open ticket
- [ ] Target is in scope for the bounty program

## See Also

- [security-scan](../security-scan/SKILL.md) — OWASP Top 10 + STRIDE broad audit
- [evaluate-repository](../evaluate-repository/SKILL.md) — scored security posture review
- [input-validation](../input-validation/SKILL.md) — sanitize and validate user inputs

Related Skills

security-audit

8
from drvoss/everything-copilot-cli

Use when a codebase needs a formal security audit beyond a quick scan — applies OWASP Top 10 and STRIDE threat modeling from a CSO perspective to surface systemic vulnerabilities.

security-scan

8
from drvoss/everything-copilot-cli

Use when you want a quick security pass on code changes or dependencies — checks OWASP Top 10 patterns, runs dependency audits, and surfaces critical vulnerabilities with targeted fixes.

pr-security-review

8
from drvoss/everything-copilot-cli

Use when reviewing a pull request for security issues — automatically analyzes the diff for vulnerabilities, hardcoded secrets, injection risks, and broken access control before merging

gha-security-review

8
from drvoss/everything-copilot-cli

Use when reviewing GitHub Actions workflows for exploitable vulnerabilities — finds pwn-request patterns, expression injection, credential escalation, config poisoning, and supply chain risks, and reports only HIGH and MEDIUM confidence findings with concrete attack paths.

verification-before-completion

8
from drvoss/everything-copilot-cli

Use before claiming any task is done — run the exact command that proves the fix works, read the output, and only then report success.

using-git-worktrees

8
from drvoss/everything-copilot-cli

Use when you need multiple branches checked out at once — create isolated working directories for parallel development without cloning the repository repeatedly

triage

8
from drvoss/everything-copilot-cli

Use when a single issue needs structured triage — classify it, reproduce if needed, request missing information, and leave a durable brief or close-out note in the tracker.

to-issues

8
from drvoss/everything-copilot-cli

Use when a plan, spec, or PRD must become an actionable backlog — break it into thin dependency-aware issues that each deliver a verifiable vertical slice

sprint-workflow

8
from drvoss/everything-copilot-cli

Use when starting a new feature, refactor, or multi-step dev task — runs the full sprint cycle (Think → Plan → Build → Review → Test → Ship → Monitor) using Copilot CLI's plan/autopilot modes.

sprint-retro

8
from drvoss/everything-copilot-cli

Use at the end of a sprint to run a data-driven retrospective — analyzes session history and git metrics to surface what shipped, what slowed you down, and concrete improvements.

release

8
from drvoss/everything-copilot-cli

Use when a sprint or feature is complete and ready to ship — tags the version, generates GitHub Release notes, runs rollout or smoke verification, and publishes to npm/PyPI/Docker registries.

prompt-optimizer

8
from drvoss/everything-copilot-cli

Use when a rough prompt, vague idea, or task description needs to become a finished copy-pasteable prompt for a chat-based LLM - rewrite it into one ready-to-send prompt with no blanks, no placeholders, and a clear output shape.