{"id":47383344,"url":"https://github.com/shuvonsec/claude-bug-bounty","last_synced_at":"2026-07-11T10:16:05.028Z","repository":{"id":342952292,"uuid":"1175748759","full_name":"shuvonsec/claude-bug-bounty","owner":"shuvonsec","description":"AI-powered bug bounty hunting from your terminal - recon, 20 vuln classes,         autonomous hunting, and report generation. All inside Claude Code.","archived":false,"fork":false,"pushed_at":"2026-03-26T11:16:57.000Z","size":584,"stargazers_count":1214,"open_issues_count":5,"forks_count":207,"subscribers_count":7,"default_branch":"main","last_synced_at":"2026-03-27T03:58:46.820Z","etag":null,"topics":["ai-security","bug-bounty","bugcrowd","claude-ai","claude-code","ethical-hacking","hackerone","penetration-testing","recon","vulnerability-scanner"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/shuvonsec.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-08T05:34:18.000Z","updated_at":"2026-03-27T03:40:56.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/shuvonsec/claude-bug-bounty","commit_stats":null,"previous_names":["shuvonsec/claude-bug-bounty"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/shuvonsec/claude-bug-bounty","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shuvonsec%2Fclaude-bug-bounty","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shuvonsec%2Fclaude-bug-bounty/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shuvonsec%2Fclaude-bug-bounty/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shuvonsec%2Fclaude-bug-bounty/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/shuvonsec","download_url":"https://codeload.github.com/shuvonsec/claude-bug-bounty/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shuvonsec%2Fclaude-bug-bounty/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31307466,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-02T12:59:32.332Z","status":"ssl_error","status_checked_at":"2026-04-02T12:54:48.875Z","response_time":89,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai-security","bug-bounty","bugcrowd","claude-ai","claude-code","ethical-hacking","hackerone","penetration-testing","recon","vulnerability-scanner"],"created_at":"2026-03-19T16:00:38.421Z","updated_at":"2026-04-02T14:03:23.811Z","avatar_url":"https://github.com/shuvonsec.png","language":"Python","funding_links":[],"categories":["bugbounty","Agentic AI Security Skills","Python"],"sub_categories":["Data \u0026 Supply Chain Security"],"readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\"logo.png\" alt=\"Claude Bug Bounty Logo\" width=\"320\"/\u003e\n\u003c/p\u003e\n\n\u003cdiv align=\"center\"\u003e\n\n\u003cimg src=\"https://img.shields.io/badge/v3.0.0-Bionic_Hunter-blueviolet?style=for-the-badge\" alt=\"v3.0.0\"\u003e\n\n# Claude Bug Bounty\n\n### The AI-Powered Agent Harness for Professional Bug Bounty Hunting\n\n*Your AI copilot that sees live traffic, remembers past hunts, and hunts autonomously.*\n\n\u003csub\u003eby \u003ca href=\"https://shuvonsec.me\"\u003eshuvonsec\u003c/a\u003e\u003c/sub\u003e\n\n\u003cbr\u003e\n\n[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg?style=flat-square)](LICENSE)\n[![Python 3.8+](https://img.shields.io/badge/Python-3.8+-3776AB.svg?style=flat-square\u0026logo=python\u0026logoColor=white)](https://python.org)\n[![Tests](https://img.shields.io/badge/Tests-129_passing-brightgreen.svg?style=flat-square)](tests/)\n[![Claude Code](https://img.shields.io/badge/Claude_Code-Plugin-D97706.svg?style=flat-square\u0026logo=anthropic\u0026logoColor=white)](https://claude.ai/claude-code)\n\n\u003cbr\u003e\n\n\u003ca href=\"#-quick-start\"\u003eQuick Start\u003c/a\u003e\u0026nbsp;\u0026nbsp;|\u0026nbsp;\u0026nbsp;\u003ca href=\"#-how-it-works\"\u003eHow It Works\u003c/a\u003e\u0026nbsp;\u0026nbsp;|\u0026nbsp;\u0026nbsp;\u003ca href=\"#-commands\"\u003eCommands\u003c/a\u003e\u0026nbsp;\u0026nbsp;|\u0026nbsp;\u0026nbsp;\u003ca href=\"#-whats-new-in-v300\"\u003eWhat's New\u003c/a\u003e\u0026nbsp;\u0026nbsp;|\u0026nbsp;\u0026nbsp;\u003ca href=\"#-installation\"\u003eInstall\u003c/a\u003e\n\n\u003cbr\u003e\n\n```\n  13 commands  ·  7 AI agents  ·  8 skill domains\n  20 web2 vuln classes  ·  10 web3 bug classes\n  Burp MCP  ·  HackerOne MCP  ·  Autonomous Mode\n```\n\n\u003c/div\u003e\n\n\u003cbr\u003e\n\n---\n\n\u003cbr\u003e\n\n## The Problem\n\nMost bug bounty toolkits give you a bag of scripts. You still have to:\n- Figure out **what** to test and **in what order**\n- Waste hours on **false positives** that get rejected\n- Write **reports from scratch** every time\n- **Forget** what worked on previous targets\n- **Context-switch** between 15 different terminal windows\n\n\u003cbr\u003e\n\n## The Solution\n\nClaude Bug Bounty is an **agent harness** — not just scripts. It reasons about what to test, validates findings before you waste time writing them up, remembers what worked across targets, and generates reports that actually get paid.\n\n\u003cbr\u003e\n\n\u003cdiv align=\"center\"\u003e\n\n| Before | After |\n|:---|:---|\n| Run scripts manually, hope for the best | AI orchestrates 25+ tools in the right order |\n| Write reports from scratch (45 min each) | Report-writer agent generates submission-ready reports in 60s |\n| Forget what worked last month | Persistent memory — patterns from target A inform target B |\n| Can't see live traffic from Claude | Burp MCP integration — Claude reads your proxy history |\n| Hunt one endpoint at a time | `/autopilot` runs full hunt loops with safety checkpoints |\n\n\u003c/div\u003e\n\n\u003cbr\u003e\n\n---\n\n\u003cbr\u003e\n\n## Quick Start\n\n**Step 1 — Install**\n\n```bash\ngit clone https://github.com/shuvonsec/claude-bug-bounty.git\ncd claude-bug-bounty\nchmod +x install.sh \u0026\u0026 ./install.sh\n```\n\n**Step 2 — Hunt**\n\n```bash\nclaude                          # Start Claude Code\n\n/recon target.com               # Discover attack surface\n/hunt target.com                # Test for vulnerabilities\n/validate                       # Check finding before writing\n/report                         # Generate submission-ready report\n```\n\n**Step 3 — Go Autonomous** *(new in v3)*\n\n```bash\n/autopilot target.com --normal  # Full autonomous hunt loop\n/intel target.com               # Fetch CVE + disclosure intel\n/resume target.com              # Pick up where you left off\n```\n\n\u003cbr\u003e\n\n\u003e **Or run tools directly** — no Claude needed:\n\u003e ```bash\n\u003e python3 tools/hunt.py --target target.com\n\u003e ./tools/recon_engine.sh target.com\n\u003e python3 tools/intel_engine.py --target target.com --tech nextjs\n\u003e ```\n\n\u003cbr\u003e\n\n---\n\n\u003cbr\u003e\n\n## How It Works\n\n```\n                         YOU\n                          |\n                    ┌─────▼─────┐\n                    │   Claude   │ ◄── Burp MCP (sees your traffic)\n                    │   Code     │ ◄── HackerOne MCP (program intel)\n                    └─────┬─────┘\n                          |\n          ┌───────────────┼───────────────┐\n          |               |               |\n    ┌─────▼─────┐  ┌──────▼──────┐  ┌────▼────┐\n    │   Recon    │  │    Hunt     │  │ Report  │\n    │   Agent    │  │   Engine    │  │ Writer  │\n    └─────┬─────┘  └──────┬──────┘  └────┬────┘\n          |               |               |\n    subfinder        scope check      H1/Bugcrowd\n    httpx            vuln test        Intigriti\n    katana           validate         Immunefi\n    nuclei           chain A→B→C      CVSS 3.1\n          |               |               |\n    ┌─────▼───────────────▼───────────────▼─────┐\n    │              Hunt Memory                   │\n    │  journal · patterns · audit · rate limit   │\n    └───────────────────────────────────────────-─┘\n```\n\nEach stage feeds the next. Claude orchestrates everything, or you run any stage independently.\n\n\u003cbr\u003e\n\n---\n\n\u003cbr\u003e\n\n## Commands\n\n### Core Workflow\n\n| Command | What It Does |\n|:---|:---|\n| `/recon target.com` | Full recon — subdomains, live hosts, URLs, nuclei scan |\n| `/hunt target.com` | Active testing — scope check, tech detect, test highest-ROI bugs |\n| `/validate` | 7-Question Gate + 4 gates — PASS / KILL / DOWNGRADE / CHAIN REQUIRED |\n| `/report` | Submission-ready report for H1/Bugcrowd/Intigriti/Immunefi |\n| `/chain` | Find B and C from bug A — systematic exploit chaining |\n| `/scope \u003casset\u003e` | Verify asset is in scope before testing |\n| `/triage` | Quick 2-minute go/no-go before deep validation |\n| `/web3-audit \u003ccontract\u003e` | 10-class smart contract checklist + Foundry PoC |\n\n### Autonomous \u0026 Memory *(new in v3)*\n\n| Command | What It Does |\n|:---|:---|\n| `/autopilot target.com` | Full autonomous hunt loop with safety checkpoints |\n| `/surface target.com` | AI-ranked attack surface from recon + memory |\n| `/resume target.com` | Resume previous hunt — shows what's untested |\n| `/remember` | Save finding or pattern to persistent memory |\n| `/intel target.com` | CVEs + disclosures cross-referenced with your hunt history |\n\n\u003cbr\u003e\n\n---\n\n\u003cbr\u003e\n\n## AI Agents\n\n7 specialized agents, each tuned for its role:\n\n| Agent | What It Does | Model |\n|:---|:---|:---|\n| **recon-agent** | Subdomain enum, live hosts, URL crawl, nuclei | Haiku *(fast)* |\n| **report-writer** | Professional reports, impact-first, human tone | Opus *(quality)* |\n| **validator** | 7-Question Gate + 4-gate finding validation | Sonnet |\n| **web3-auditor** | 10-class contract audit + Foundry PoC stubs | Sonnet |\n| **chain-builder** | Systematic A-B-C exploit chaining | Sonnet |\n| **autopilot** | Autonomous hunt loop with circuit breaker | Sonnet |\n| **recon-ranker** | Attack surface ranking from recon + memory | Haiku *(fast)* |\n\n\u003cbr\u003e\n\n---\n\n\u003cbr\u003e\n\n## What's New in v3.0.0\n\n\u003e **The \"brain in a jar\" is now a bionic hacker.**\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eAutonomous Hunt Loop\u003c/b\u003e — \u003ccode\u003e/autopilot\u003c/code\u003e\u003c/summary\u003e\n\u003cbr\u003e\n\n7-step loop that runs continuously: **scope - recon - rank - hunt - validate - report - checkpoint**\n\nThree checkpoint modes:\n- `--paranoid` — stops after every finding for your review\n- `--normal` — batches findings, checkpoints every few minutes\n- `--yolo` — minimal stops (still requires approval for report submissions)\n\nBuilt-in safety: circuit breaker stops hammering hosts after consecutive failures, per-host rate limiting, every request logged to `audit.jsonl`.\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003ePersistent Hunt Memory\u003c/b\u003e — remember everything\u003c/summary\u003e\n\u003cbr\u003e\n\n- **Journal** — append-only JSONL log of every hunt action (concurrent-safe writes)\n- **Pattern DB** — what technique worked on which tech stack, sorted by payout\n- **Target profiles** — tested/untested endpoints, tech stack, findings\n- **Cross-target learning** — patterns from target A suggested when hunting target B\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eMCP Integrations\u003c/b\u003e — Burp + HackerOne\u003c/summary\u003e\n\u003cbr\u003e\n\n**Burp Suite MCP** — Claude can read your proxy history, replay requests through Burp, use Collaborator payloads. Your AI copilot now sees the same traffic you do.\n\n**HackerOne MCP** — Public API integration:\n- `search_disclosed_reports` — search Hacktivity by keyword or program\n- `get_program_stats` — bounty ranges, response times, resolved counts\n- `get_program_policy` — scope, safe harbor, excluded vuln classes\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eOn-Demand Intel\u003c/b\u003e — \u003ccode\u003e/intel\u003c/code\u003e\u003c/summary\u003e\n\u003cbr\u003e\n\nWraps `learn.py` + HackerOne MCP + hunt memory:\n- Flags **untested CVEs** matching the target's tech stack\n- Shows **new endpoints** not in your tested list\n- Surfaces **cross-target patterns** from your own hunt history\n- Prioritizes: CRITICAL untested \u003e HIGH untested \u003e already tested\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eDeterministic Scope Safety\u003c/b\u003e\u003c/summary\u003e\n\u003cbr\u003e\n\n`scope_checker.py` uses anchored suffix matching — code check, not LLM judgment:\n- `*.target.com` matches `api.target.com` but NOT `evil-target.com`\n- Excluded domains always win over wildcards\n- IP addresses rejected with warning (match by domain only)\n- Every test filtered through scope before execution\n\n\u003c/details\u003e\n\n\u003cbr\u003e\n\n---\n\n\u003cbr\u003e\n\n## Vulnerability Coverage\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003e20 Web2 Bug Classes\u003c/b\u003e — click to expand\u003c/summary\u003e\n\u003cbr\u003e\n\n| Class | Key Techniques | Typical Payout |\n|:---|:---|:---|\n| **IDOR** | Object-level, field-level, GraphQL node(), UUID enum, method swap | $500 - $5K |\n| **Auth Bypass** | Missing middleware, client-side checks, BFLA | $1K - $10K |\n| **XSS** | Reflected, stored, DOM, postMessage, CSP bypass, mXSS | $500 - $5K |\n| **SSRF** | Redirect chain, DNS rebinding, cloud metadata, 11 IP bypasses | $1K - $15K |\n| **Business Logic** | Workflow bypass, negative quantity, price manipulation | $500 - $10K |\n| **Race Conditions** | TOCTOU, coupon reuse, limit overrun, double spend | $500 - $5K |\n| **SQLi** | Error-based, blind, time-based, ORM bypass, WAF bypass | $1K - $15K |\n| **OAuth/OIDC** | Missing PKCE, state bypass, 11 redirect_uri bypasses | $500 - $5K |\n| **File Upload** | Extension bypass, MIME confusion, polyglots, 10 bypasses | $500 - $5K |\n| **GraphQL** | Introspection, node() IDOR, batching bypass, mutation auth | $1K - $10K |\n| **LLM/AI** | Prompt injection, chatbot IDOR, ASI01-ASI10 framework | $500 - $10K |\n| **API Misconfig** | Mass assignment, JWT attacks, prototype pollution, CORS | $500 - $5K |\n| **ATO** | Password reset poisoning, token leaks, 9 takeover paths | $1K - $20K |\n| **SSTI** | Jinja2, Twig, Freemarker, ERB, Thymeleaf -\u003e RCE | $2K - $10K |\n| **Subdomain Takeover** | GitHub Pages, S3, Heroku, Netlify, Azure | $200 - $5K |\n| **Cloud/Infra** | S3 listing, EC2 metadata, Firebase, K8s, Docker API | $500 - $20K |\n| **HTTP Smuggling** | CL.TE, TE.CL, TE.TE, H2.CL request tunneling | $5K - $30K |\n| **Cache Poisoning** | Unkeyed headers, parameter cloaking, web cache deception | $1K - $10K |\n| **MFA Bypass** | No rate limit, OTP reuse, response manipulation, race | $1K - $10K |\n| **SAML/SSO** | XSW, comment injection, signature stripping, XXE | $2K - $20K |\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003e10 Web3 Bug Classes\u003c/b\u003e — click to expand\u003c/summary\u003e\n\u003cbr\u003e\n\n| Class | Frequency | Typical Payout |\n|:---|:---|:---|\n| **Accounting Desync** | 28% of Criticals | $50K - $2M |\n| **Access Control** | 19% of Criticals | $50K - $2M |\n| **Incomplete Code Path** | 17% of Criticals | $50K - $2M |\n| **Off-By-One** | 22% of Highs | $10K - $100K |\n| **Oracle Manipulation** | 12% of reports | $100K - $2M |\n| **ERC4626 Attacks** | Moderate | $50K - $500K |\n| **Reentrancy** | Classic | $10K - $500K |\n| **Flash Loan** | Moderate | $100K - $2M |\n| **Signature Replay** | Moderate | $10K - $200K |\n| **Proxy/Upgrade** | Moderate | $50K - $2M |\n\n\u003c/details\u003e\n\n\u003cbr\u003e\n\n---\n\n\u003cbr\u003e\n\n## Tools \u0026 Architecture\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eCore Pipeline\u003c/b\u003e — \u003ccode\u003etools/\u003c/code\u003e\u003c/summary\u003e\n\u003cbr\u003e\n\n| Tool | What It Does |\n|:---|:---|\n| `hunt.py` | Master orchestrator — chains recon, scan, report |\n| `recon_engine.sh` | Subdomain enum + DNS + live hosts + URL crawl |\n| `learn.py` | CVE + disclosure intel from NVD, GitHub Advisory, HackerOne |\n| `intel_engine.py` | Memory-aware intel wrapper (learn.py + HackerOne MCP + memory) |\n| `validate.py` | 4-gate validation — scope, impact, dedup, CVSS |\n| `report_generator.py` | H1/Bugcrowd/Intigriti report output |\n| `scope_checker.py` | Deterministic scope safety with anchored suffix matching |\n| `mindmap.py` | Prioritized attack mindmap generator |\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eVulnerability Scanners\u003c/b\u003e — \u003ccode\u003etools/\u003c/code\u003e\u003c/summary\u003e\n\u003cbr\u003e\n\n| Tool | Target |\n|:---|:---|\n| `h1_idor_scanner.py` | Object-level and field-level IDOR |\n| `h1_mutation_idor.py` | GraphQL mutation IDOR |\n| `h1_oauth_tester.py` | OAuth misconfigs (PKCE, state, redirect_uri) |\n| `h1_race.py` | Race conditions (TOCTOU, limit overrun) |\n| `zero_day_fuzzer.py` | Logic bugs, edge cases, access control |\n| `cve_hunter.py` | Tech fingerprinting + known CVE matching |\n| `vuln_scanner.sh` | Orchestrates nuclei + dalfox + sqlmap |\n| `hai_probe.py` | AI chatbot IDOR, prompt injection |\n| `hai_payload_builder.py` | Prompt injection payload generator |\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eMCP Integrations\u003c/b\u003e — \u003ccode\u003emcp/\u003c/code\u003e\u003c/summary\u003e\n\u003cbr\u003e\n\n| Server | Tools Provided |\n|:---|:---|\n| **Burp Suite** (`burp-mcp-client/`) | Read proxy history, replay requests, Collaborator payloads |\n| **HackerOne** (`hackerone-mcp/`) | `search_disclosed_reports`, `get_program_stats`, `get_program_policy` |\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eHunt Memory System\u003c/b\u003e — \u003ccode\u003ememory/\u003c/code\u003e\u003c/summary\u003e\n\u003cbr\u003e\n\n| Module | What It Does |\n|:---|:---|\n| `hunt_journal.py` | Append-only JSONL hunt log (concurrent-safe via `fcntl.flock`) |\n| `pattern_db.py` | Cross-target pattern DB — matches by vuln class + tech stack |\n| `audit_log.py` | Every outbound request logged + per-host rate limiter + circuit breaker |\n| `schemas.py` | Schema validation for all entry types (versioned) |\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eFull Directory Structure\u003c/b\u003e — click to expand\u003c/summary\u003e\n\u003cbr\u003e\n\n```\nclaude-bug-bounty/\n├── skills/                     8 skill domains (SKILL.md files)\n├── commands/                   13 slash commands\n├── agents/                     7 specialized AI agents\n├── tools/                      21 Python/shell tools\n├── memory/                     Persistent hunt memory system\n├── mcp/                        MCP server integrations\n│   ├── burp-mcp-client/        Burp Suite proxy\n│   └── hackerone-mcp/          HackerOne public API\n├── tests/                      129 tests\n├── rules/                      Always-active hunting + reporting rules\n├── hooks/                      Session start/stop hooks\n├── docs/                       Payload arsenal + technique guides\n├── web3/                       Smart contract skill chain\n├── scripts/                    Shell wrappers\n└── wordlists/                  5 wordlists\n```\n\n\u003c/details\u003e\n\n\u003cbr\u003e\n\n---\n\n\u003cbr\u003e\n\n## Installation\n\n### Prerequisites\n\n```bash\n# macOS\nbrew install go python3 node jq\n\n# Linux (Debian/Ubuntu)\nsudo apt install golang python3 nodejs jq\n```\n\n### Install\n\n```bash\ngit clone https://github.com/shuvonsec/claude-bug-bounty.git\ncd claude-bug-bounty\nchmod +x install.sh \u0026\u0026 ./install.sh\n```\n\n### API Keys\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eChaos API\u003c/b\u003e (required for recon)\u003c/summary\u003e\n\u003cbr\u003e\n\n1. Sign up at [chaos.projectdiscovery.io](https://chaos.projectdiscovery.io)\n2. Export your key:\n\n```bash\nexport CHAOS_API_KEY=\"your-key-here\"\necho 'export CHAOS_API_KEY=\"your-key-here\"' \u003e\u003e ~/.zshrc\n```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eOptional API keys\u003c/b\u003e (better subdomain coverage)\u003c/summary\u003e\n\u003cbr\u003e\n\nConfigure in `~/.config/subfinder/config.yaml`:\n- [VirusTotal](https://www.virustotal.com) — free\n- [SecurityTrails](https://securitytrails.com) — free tier\n- [Censys](https://censys.io) — free tier\n- [Shodan](https://shodan.io) — paid\n\n\u003c/details\u003e\n\n\u003cbr\u003e\n\n---\n\n\u003cbr\u003e\n\n## The Golden Rules\n\nThese are always active. Non-negotiable.\n\n```\n 1. READ FULL SCOPE        verify every asset before the first request\n 2. NO THEORETICAL BUGS    \"Can attacker do this RIGHT NOW?\" — if no, stop\n 3. KILL WEAK FAST         Gate 0 is 30 seconds, saves hours\n 4. NEVER OUT-OF-SCOPE     one request = potential ban\n 5. 5-MINUTE RULE          nothing after 5 min = move on\n 6. RECON ONLY AUTO        manual testing finds unique bugs\n 7. IMPACT-FIRST           \"worst thing if auth broken?\" drives target selection\n 8. SIBLING RULE           9 endpoints have auth? check the 10th\n 9. A→B SIGNAL             confirming A means B exists nearby — hunt it\n10. VALIDATE FIRST         7-Question Gate (15 min) before report (30 min)\n```\n\n\u003cbr\u003e\n\n---\n\n\u003cbr\u003e\n\n## The Trilogy\n\n| Repo | Purpose |\n|:---|:---|\n| **[claude-bug-bounty](https://github.com/shuvonsec/claude-bug-bounty)** | Full hunting pipeline — recon to report |\n| **[web3-bug-bounty-hunting-ai-skills](https://github.com/shuvonsec/web3-bug-bounty-hunting-ai-skills)** | Smart contract security — 10 bug classes, Foundry PoCs |\n| **[public-skills-builder](https://github.com/shuvonsec/public-skills-builder)** | Ingest 500+ writeups into Claude skill files |\n\n\u003cbr\u003e\n\n---\n\n\u003cbr\u003e\n\n## Contributing\n\nPRs welcome. Best contributions:\n\n- New vulnerability scanners or detection modules\n- Payload additions to `skills/security-arsenal/SKILL.md`\n- New agent definitions for specific platforms\n- Real-world methodology improvements (with evidence from paid reports)\n- Platform support (YesWeHack, Synack, HackenProof)\n\n```bash\ngit checkout -b feature/your-contribution\ngit commit -m \"Add: short description\"\ngit push origin feature/your-contribution\n```\n\n\u003cbr\u003e\n\n---\n\n\u003cbr\u003e\n\n\u003cdiv align=\"center\"\u003e\n\n### Connect\n\n[GitHub](https://github.com/shuvonsec) \u0026nbsp;\u0026nbsp;|\u0026nbsp;\u0026nbsp; [Twitter](https://x.com/shuvonsec) \u0026nbsp;\u0026nbsp;|\u0026nbsp;\u0026nbsp; [LinkedIn](https://linkedin.com/in/shuvonsec) \u0026nbsp;\u0026nbsp;|\u0026nbsp;\u0026nbsp; [Email](mailto:shuvonsec@gmail.com)\n\n\u003cbr\u003e\n\n---\n\n**For authorized security testing only.** Only test targets within an approved bug bounty scope.\u003cbr\u003e\nNever test systems without explicit permission. Follow responsible disclosure practices.\n\n---\n\n\u003cbr\u003e\n\nMIT License\n\n**Built by bug hunters, for bug hunters.**\n\nIf this helped you find a bug, leave a star.\n\n\u003c/div\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fshuvonsec%2Fclaude-bug-bounty","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fshuvonsec%2Fclaude-bug-bounty","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fshuvonsec%2Fclaude-bug-bounty/lists"}