Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/fransr/bountyplz
Automated security reporting from markdown templates (HackerOne and Bugcrowd are currently the platforms supported)
https://github.com/fransr/bountyplz
Last synced: 17 days ago
JSON representation
Automated security reporting from markdown templates (HackerOne and Bugcrowd are currently the platforms supported)
- Host: GitHub
- URL: https://github.com/fransr/bountyplz
- Owner: fransr
- License: mit
- Created: 2018-04-18T13:11:54.000Z (over 6 years ago)
- Default Branch: master
- Last Pushed: 2019-05-10T07:28:08.000Z (over 5 years ago)
- Last Synced: 2024-11-03T08:33:35.528Z (about 1 month ago)
- Language: Shell
- Homepage:
- Size: 2.64 MB
- Stars: 443
- Watchers: 18
- Forks: 64
- Open Issues: 4
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-bugbounty-tools - bountyplz - Automated security reporting from markdown templates (HackerOne and Bugcrowd are currently the platforms supported) (Miscellaneous / Uncategorized)
- WebHackersWeapons - bountyplz
- awesome-hacking-lists - fransr/bountyplz - Automated security reporting from markdown templates (HackerOne and Bugcrowd are currently the platforms supported) (Shell)
README
# bountyplz – automated security reporting from markdown templates
### description
This is a project created by [Frans Rosén](https://twitter.com/fransrosen). The idea is to be able to submit a report without any interaction. It's taking advantage of all features the existing site has, such as attachments, inline images, assets, weaknesses and severity.
bountyplz supports submitting to HackerOne and Bugcrowd.
bountyplz will sign in to HackerOne or Bugcrowd and keep the session, create a draft and submit the report, all in one step. It also supports 2FA, if this is enabled on your HackerOne- or Bugcrowd-account.
HackerOne:
Bugcrowd:
### install
```
brew install jq
brew install gnu-sed
brew install coreutilsln -fs "$(pwd)/bountyplz" /usr/local/bin/bountyplz
```### usage HackerOne `h1`
Place `.env` with `HACKERONE_USERNAME` and `HACKERONE_PASSWORD` next to the binary.
```
bountyplz h1
````-p` for preview
`-d` for draft-only
`-f` for force### usage Bugcrowd `bc`
Place `.env` with `BUGCROWD_USERNAME` and `BUGCROWD_PASSWORD` next to the binary.
```
bountyplz bc
````-p` for preview
`-d` for draft-only (will upload files but not save any draft as this is currently not supported on Bugcrowd)
`-f` for force### howto
Write report in markdown, use frontmatter for attributes for the report. The title of the report will be taken from the content's first #-header.
```md
---
severity: high
weakness: xss reflected
asset: example.com
---# Report title
Report description
```The following attributes are currently supported:
| key | type | desc |
|-------|------|---|
|`asset`|string|will be matched against the list of assets for the program|
|`weakness`|string|will be matched against the list of weaknesses for the program. |
|`attachments`|json-array|list of files that should be attached. `["test.jpg","test2.jpg"]`
if images and videos are used inline, these does not need to be in this list|
|`url`|string|bug URL (BugCrowd only, not required)|
|`severity`|string|`none, low, medium, high, crical` (HackerOne only)|When the report is submitted, an additional `report`-attribute will be added to the markdown with the reference URL for the report. This is to make sure the same report is not submitted twice.
`asset` and `weakness` will try to match against the list of available options. If multiple results are found, a list will be shown to select the right one:
### impact
For HackerOne, if any header with the word `impact` exist in the report, the report will be split in half and the content after Impact will be inserted in the Impact-field. If no Impact exists in the report, the Impact field will only contain a `#` rendering it empty.
```md
---
asset: example.com
---# Report title
Report description
### impact
This will be in the impact field.
```For Bugcrowd, the whole report will be inside the Description-field.
### inline attachments
When referring to images or videos inside the report, use this format: ``
Every image or video element containing ` {} \; -o -quit \)
```