AI-powered bug bounty hunting from your terminal - recon, 20 vuln classes, autonomous hunting, and report generation. All inside Claude Code.
AI-powered bug bounty hunting from your terminal - recon, 20 vuln classes, autonomous hunting, and report generation. All inside Claude Code.
Your AI copilot that sees live traffic, remembers past hunts, and hunts autonomously.
The community made a meme coin to support the project CA: J6VzBAGnyyNEyzyHhauwg3ofRctFxnTLzQCcjUdGpump
by shuvonsec
13 commands ยท 7 AI agents ยท 8 skill domains
20 web2 vuln classes ยท 10 web3 bug classes
Burp MCP ยท HackerOne MCP ยท Autonomous Mode
Most bug bounty toolkits give you a bag of scripts. You still have to:
Claude Bug Bounty is an agent harness โ not just scripts. It reasons about what to test, validates findings before you waste time writing them up, remembers what worked across targets, and generates reports that actually get paid.
| Before | After |
|---|---|
| Run scripts manually, hope for the best | AI orchestrates 25+ tools in the right order |
| Write reports from scratch (45 min each) | Report-writer agent generates submission-ready reports in 60s |
| Forget what worked last month | Persistent memory โ patterns from target A inform target B |
| Can't see live traffic from Claude | Burp MCP integration โ Claude reads your proxy history |
| Hunt one endpoint at a time | /autopilot runs full hunt loops with safety checkpoints |
Step 1 โ Install
git clone https://github.com/shuvonsec/claude-bug-bounty.git
cd claude-bug-bounty
chmod +x install.sh && ./install.shStep 2 โ Hunt
claude # Start Claude Code
/recon target.com # Discover attack surface
/hunt target.com # Test for vulnerabilities
/validate # Check finding before writing
/report # Generate submission-ready reportStep 3 โ Go Autonomous (new in v3)
/autopilot target.com --normal # Full autonomous hunt loop
/intel target.com # Fetch CVE + disclosure intel
/resume target.com # Pick up where you left offOr run tools directly โ no Claude needed:
python3 tools/hunt.py --target target.com ./tools/recon_engine.sh target.com python3 tools/intel_engine.py --target target.com --tech nextjs
YOU
|
โโโโโโโผโโโโโโ
โ Claude โ โโโ Burp MCP (sees your traffic)
โ Code โ โโโ HackerOne MCP (program intel)
โโโโโโโฌโโโโโโ
|
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโ
| | |
โโโโโโโผโโโโโโ โโโโโโโโผโโโโโโโ โโโโโโผโโโโโ
โ Recon โ โ Hunt โ โ Report โ
โ Agent โ โ Engine โ โ Writer โ
โโโโโโโฌโโโโโโ โโโโโโโโฌโโโโโโโ โโโโโโฌโโโโโ
| | |
subfinder scope check H1/Bugcrowd
httpx vuln test Intigriti
katana validate Immunefi
nuclei chain AโBโC CVSS 3.1
| | |
โโโโโโโผโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโผโโโโโโ
โ Hunt Memory โ
โ journal ยท patterns ยท audit ยท rate limit โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ-โโ
Each stage feeds the next. Claude orchestrates everything, or you run any stage independently.
| Command | What It Does |
|---|---|
/recon target.com |
Full recon โ subdomains, live hosts, URLs, nuclei scan |
/hunt target.com |
Active testing โ scope check, tech detect, test highest-ROI bugs |
/validate |
7-Question Gate + 4 gates โ PASS / KILL / DOWNGRADE / CHAIN REQUIRED |
/report |
Submission-ready report for H1/Bugcrowd/Intigriti/Immunefi |
/chain |
Find B and C from bug A โ systematic exploit chaining |
/scope <asset> |
Verify asset is in scope before testing |
/triage |
Quick 2-minute go/no-go before deep validation |
/web3-audit <contract> |
10-class smart contract checklist + Foundry PoC |
| Command | What It Does |
|---|---|
/autopilot target.com |
Full autonomous hunt loop with safety checkpoints |
/surface target.com |
AI-ranked attack surface from recon + memory |
/resume target.com |
Resume previous hunt โ shows what's untested |
/remember |
Save finding or pattern to persistent memory |
/intel target.com |
CVEs + disclosures cross-referenced with your hunt history |
7 specialized agents, each tuned for its role:
| Agent | What It Does | Model |
|---|---|---|
| recon-agent | Subdomain enum, live hosts, URL crawl, nuclei | Haiku (fast) |
| report-writer | Professional reports, impact-first, human tone | Opus (quality) |
| validator | 7-Question Gate + 4-gate finding validation | Sonnet |
| web3-auditor | 10-class contract audit + Foundry PoC stubs | Sonnet |
| chain-builder | Systematic A-B-C exploit chaining | Sonnet |
| autopilot | Autonomous hunt loop with circuit breaker | Sonnet |
| recon-ranker | Attack surface ranking from recon + memory | Haiku (fast) |
The "brain in a jar" is now a bionic hacker.
/autopilot7-step loop that runs continuously: scope - recon - rank - hunt - validate - report - checkpoint
Three checkpoint modes:
--paranoid โ stops after every finding for your review--normal โ batches findings, checkpoints every few minutes--yolo โ minimal stops (still requires approval for report submissions)Built-in safety: circuit breaker stops hammering hosts after consecutive failures, per-host rate limiting, every request logged to audit.jsonl.
Burp Suite MCP โ Claude can read your proxy history, replay requests through Burp, use Collaborator payloads. Your AI copilot now sees the same traffic you do.
HackerOne MCP โ Public API integration:
search_disclosed_reports โ search Hacktivity by keyword or programget_program_stats โ bounty ranges, response times, resolved countsget_program_policy โ scope, safe harbor, excluded vuln classes/intelWraps learn.py + HackerOne MCP + hunt memory:
scope_checker.py uses anchored suffix matching โ code check, not LLM judgment:
*.target.com matches api.target.com but NOT evil-target.com| Class | Key Techniques | Typical Payout |
|---|---|---|
| IDOR | Object-level, field-level, GraphQL node(), UUID enum, method swap | $500 - $5K |
| Auth Bypass | Missing middleware, client-side checks, BFLA | $1K - $10K |
| XSS | Reflected, stored, DOM, postMessage, CSP bypass, mXSS | $500 - $5K |
| SSRF | Redirect chain, DNS rebinding, cloud metadata, 11 IP bypasses | $1K - $15K |
| Business Logic | Workflow bypass, negative quantity, price manipulation | $500 - $10K |
| Race Conditions | TOCTOU, coupon reuse, limit overrun, double spend | $500 - $5K |
| SQLi | Error-based, blind, time-based, ORM bypass, WAF bypass | $1K - $15K |
| OAuth/OIDC | Missing PKCE, state bypass, 11 redirect_uri bypasses | $500 - $5K |
| File Upload | Extension bypass, MIME confusion, polyglots, 10 bypasses | $500 - $5K |
| GraphQL | Introspection, node() IDOR, batching bypass, mutation auth | $1K - $10K |
| LLM/AI | Prompt injection, chatbot IDOR, ASI01-ASI10 framework | $500 - $10K |
| API Misconfig | Mass assignment, JWT attacks, prototype pollution, CORS | $500 - $5K |
| ATO | Password reset poisoning, token leaks, 9 takeover paths | $1K - $20K |
| SSTI | Jinja2, Twig, Freemarker, ERB, Thymeleaf -> RCE | $2K - $10K |
| Subdomain Takeover | GitHub Pages, S3, Heroku, Netlify, Azure | $200 - $5K |
| Cloud/Infra | S3 listing, EC2 metadata, Firebase, K8s, Docker API | $500 - $20K |
| HTTP Smuggling | CL.TE, TE.CL, TE.TE, H2.CL request tunneling | $5K - $30K |
| Cache Poisoning | Unkeyed headers, parameter cloaking, web cache deception | $1K - $10K |
| MFA Bypass | No rate limit, OTP reuse, response manipulation, race | $1K - $10K |
| SAML/SSO | XSW, comment injection, signature stripping, XXE | $2K - $20K |
| Class | Frequency | Typical Payout |
|---|---|---|
| Accounting Desync | 28% of Criticals | $50K - $2M |
| Access Control | 19% of Criticals | $50K - $2M |
| Incomplete Code Path | 17% of Criticals | $50K - $2M |
| Off-By-One | 22% of Highs | $10K - $100K |
| Oracle Manipulation | 12% of reports | $100K - $2M |
| ERC4626 Attacks | Moderate | $50K - $500K |
| Reentrancy | Classic | $10K - $500K |
| Flash Loan | Moderate | $100K - $2M |
| Signature Replay | Moderate | $10K - $200K |
| Proxy/Upgrade | Moderate | $50K - $2M |
tools/| Tool | What It Does |
|---|---|
hunt.py |
Master orchestrator โ chains recon, scan, report |
recon_engine.sh |
Subdomain enum + DNS + live hosts + URL crawl |
learn.py |
CVE + disclosure intel from NVD, GitHub Advisory, HackerOne |
intel_engine.py |
Memory-aware intel wrapper (learn.py + HackerOne MCP + memory) |
validate.py |
4-gate validation โ scope, impact, dedup, CVSS |
report_generator.py |
H1/Bugcrowd/Intigriti report output |
scope_checker.py |
Deterministic scope safety with anchored suffix matching |
cicd_scanner.sh |
GitHub Actions SAST โ wraps sisakulint remote scan (52 rules, 81.6% GHSA coverage) |
mindmap.py |
Prioritized attack mindmap generator |
tools/| Tool | Target |
|---|---|
h1_idor_scanner.py |
Object-level and field-level IDOR |
h1_mutation_idor.py |
GraphQL mutation IDOR |
h1_oauth_tester.py |
OAuth misconfigs (PKCE, state, redirect_uri) |
h1_race.py |
Race conditions (TOCTOU, limit overrun) |
zero_day_fuzzer.py |
Logic bugs, edge cases, access control |
cve_hunter.py |
Tech fingerprinting + known CVE matching |
vuln_scanner.sh |
Orchestrates nuclei + dalfox + sqlmap |
hai_probe.py |
AI chatbot IDOR, prompt injection |
hai_payload_builder.py |
Prompt injection payload generator |
mcp/| Server | Tools Provided |
|---|---|
Burp Suite (burp-mcp-client/) |
Read proxy history, replay requests, Collaborator payloads |
HackerOne (hackerone-mcp/) |
search_disclosed_reports, get_program_stats, get_program_policy |
memory/| Module | What It Does |
|---|---|
hunt_journal.py |
Append-only JSONL hunt log (concurrent-safe via fcntl.flock) |
pattern_db.py |
Cross-target pattern DB โ matches by vuln class + tech stack |
audit_log.py |
Every outbound request logged + per-host rate limiter + circuit breaker |
schemas.py |
Schema validation for all entry types (versioned) |
claude-bug-bounty/
โโโ skills/ 8 skill domains (SKILL.md files)
โโโ commands/ 13 slash commands
โโโ agents/ 7 specialized AI agents
โโโ tools/ 21 Python/shell tools
โโโ memory/ Persistent hunt memory system
โโโ mcp/ MCP server integrations
โ โโโ burp-mcp-client/ Burp Suite proxy
โ โโโ hackerone-mcp/ HackerOne public API
โโโ tests/ 129 tests
โโโ rules/ Always-active hunting + reporting rules
โโโ hooks/ Session start/stop hooks
โโโ docs/ Payload arsenal + technique guides
โโโ web3/ Smart contract skill chain
โโโ scripts/ Shell wrappers
โโโ wordlists/ 5 wordlists
# macOS
brew install go python3 node jq
# Linux (Debian/Ubuntu)
sudo apt install golang python3 nodejs jqgit clone https://github.com/shuvonsec/claude-bug-bounty.git
cd claude-bug-bounty
chmod +x install.sh && ./install.sh # Install skills + commands into ~/.claude/
bash install_tools.sh # Install recon/scan tools + sisakulintexport CHAOS_API_KEY="your-key-here"
echo 'export CHAOS_API_KEY="your-key-here"' >> ~/.zshrcConfigure in ~/.config/subfinder/config.yaml:
These are always active. Non-negotiable.
1. READ FULL SCOPE verify every asset before the first request
2. NO THEORETICAL BUGS "Can attacker do this RIGHT NOW?" โ if no, stop
3. KILL WEAK FAST Gate 0 is 30 seconds, saves hours
4. NEVER OUT-OF-SCOPE one request = potential ban
5. 5-MINUTE RULE nothing after 5 min = move on
6. RECON ONLY AUTO manual testing finds unique bugs
7. IMPACT-FIRST "worst thing if auth broken?" drives target selection
8. SIBLING RULE 9 endpoints have auth? check the 10th
9. AโB SIGNAL confirming A means B exists nearby โ hunt it
10. VALIDATE FIRST 7-Question Gate (15 min) before report (30 min)
| Repo | Purpose |
|---|---|
| claude-bug-bounty | Full hunting pipeline โ recon to report |
| web3-bug-bounty-hunting-ai-skills | Smart contract security โ 10 bug classes, Foundry PoCs |
| public-skills-builder | Ingest 500+ writeups into Claude skill files |
PRs welcome. Best contributions:
skills/security-arsenal/SKILL.mdgit checkout -b feature/your-contribution
git commit -m "Add: short description"
git push origin feature/your-contributionGitHub ย ย |ย ย Twitter ย ย |ย ย LinkedIn ย ย |ย ย Email
For authorized security testing only. Only test targets within an approved bug bounty scope.
Never test systems without explicit permission. Follow responsible disclosure practices.
MIT License
Built by bug hunters, for bug hunters.
If this helped you find a bug, leave a star.
| Version | Changes | Urgency | Date |
|---|---|---|---|
| v4.0.0 | ## Meme Coin Security Module New `/token-scan` command and full meme coin rug pull detection for EVM and Solana tokens. ### New Files (8) | Component | What It Does | |---|---| | `skills/meme-coin-audit/SKILL.md` | New skill โ rug pull detection, token authority checks, bonding curve exploits | | `tools/token_scanner.py` | Automated red flag scanner โ hidden mint, honeypot, fee traps, LP drain, fake renounce | | `agents/token-auditor.md` | Fast token audit agent (8-class protocol) | | `comman | High | 4/13/2026 |
| v3.0.0 | ## Bionic Hunter Release Transforms Claude Bug Bounty from a knowledge-only tool into a **bionic hacker** -- AI that sees your traffic, remembers past hunts, fetches real-time intel, and runs autonomous hunt loops. ### New Features **Autonomous Hunt Loop** (`/autopilot`) - 7-step loop: scope, recon, rank, hunt, validate, report, checkpoint - 3 modes: `--paranoid` (stop per finding), `--normal` (batch), `--yolo` (minimal checkpoints) - Circuit breaker stops hammering hosts after consecutive fa | Medium | 3/26/2026 |