AI-powered bug bounty hunting from your terminal - recon, 20 vuln classes, autonomous hunting, and report generation. All inside Claude Code.
AI-powered bug bounty hunting from your terminal - recon, 20 vuln classes, autonomous hunting, and report generation. All inside Claude Code.
Your AI hunting partner that remembers past targets, spots vulnerabilities, and writes reports for you.
The community made a meme coin to support the project CA: J6VzBAGnyyNEyzyHhauwg3ofRctFxnTLzQCcjUdGpump
by shuvonsec
14 commands ยท 8 AI agents ยท 9 skill domains
20 web2 vuln classes ยท 10 web3 bug classes
Burp MCP ยท HackerOne MCP ยท Autonomous Mode
Bug bounty hunting is when companies pay you real money to find security vulnerabilities in their websites and apps before bad actors do. Platforms like HackerOne and Bugcrowd connect hunters with companies. Payouts range from $100 to $1,000,000+ depending on severity.
This tool is a plugin for Claude Code (Anthropic's AI coding assistant) that turns it into a professional bug bounty hunting partner. Instead of juggling 15 different tools and writing reports from scratch, you just type a command and the AI handles the rest.
In plain terms:
Who is it for?
Most hunters waste hours on things that shouldn't take that long:
| Before | After |
|---|---|
| Run 10+ tools manually, hope for the best | AI orchestrates everything in the right order |
| Write reports from scratch (45 min each) | Report-writer agent generates submission-ready reports in 60s |
| Forget what worked last month | Memory system โ patterns from target A inform target B |
| Submit bugs without proper validation | 7-Question Gate kills weak findings before you waste time reporting |
| Can't see live browser traffic | Burp MCP โ AI reads your proxy history in real time |
| Hunt one endpoint at a time | /autopilot runs the full hunt loop while you watch |
Prerequisite: You need Claude Code installed. It's Anthropic's free AI coding tool that runs in your terminal.
Step 1 โ Install tools + skills
git clone https://github.com/shuvonsec/claude-bug-bounty.git
cd claude-bug-bounty
chmod +x install_tools.sh && ./install_tools.sh # installs scanning tools (subfinder, httpx, nuclei...)
chmod +x install.sh && ./install.sh # installs AI skills + commands into Claude CodeStep 2 โ Start hunting
claude # open Claude Code in your terminal
/recon target.com # step 1: map the target (subdomains, live pages, URLs)
/hunt target.com # step 2: test for vulnerabilities
/validate # step 3: make sure the finding is real before writing it up
/report # step 4: generate a professional submission reportThat's the core loop. Four commands, full workflow.
Step 3 โ Go autonomous
/autopilot target.com --normal # AI does the whole thing, pauses for your review at the end
/pickup target.com # continue where you left off on a previous target
/intel target.com # get CVEs + disclosed reports relevant to this targetDon't use Claude Code? Run the Python tools directly:
python3 tools/hunt.py --target target.com ./tools/recon_engine.sh target.com
Think of it like a team of specialists, each doing one job:
YOU
|
โโโโโโโผโโโโโโ
โ Claude โ โโโ Burp MCP (sees your browser traffic)
โ Code โ โโโ HackerOne MCP (program intel)
โโโโโโโฌโโโโโโ
|
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโ
| | |
โโโโโโโผโโโโโโ โโโโโโโโผโโโโโโโ โโโโโโผโโโโโ
โ Recon โ โ Hunt โ โ Report โ
โ (map it) โ โ (test it) โ โ(write itโ
โโโโโโโฌโโโโโโ โโโโโโโโฌโโโโโโโ โโโโโโฌโโโโโ
| | |
finds all checks for formats for
subdomains, vulnerabilities HackerOne /
URLs, APIs & validates Bugcrowd /
findings Immunefi
| | |
โโโโโโโผโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโผโโโโโโ
โ Hunt Memory โ
โ remembers everything across sessions โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Each step feeds the next. Claude orchestrates all of it, or you run any step on its own.
| Command | What It Does | When To Use |
|---|---|---|
/recon target.com |
Maps the target โ finds all subdomains, live pages, APIs, and runs basic scans | Always first |
/hunt target.com |
Actively tests for vulnerabilities using the right technique for the tech stack | After recon |
/validate |
Runs a 7-question check to confirm a finding is real before you write it up | Before every report |
/report |
Generates a professional submission report for H1/Bugcrowd/Intigriti/Immunefi | After validation |
| Command | What It Does |
|---|---|
/autopilot target.com |
AI runs the full loop automatically โ recon โ hunt โ validate โ report |
/surface target.com |
Shows a ranked list of the best places to test (based on your past findings) |
/pickup target.com |
Shows untested endpoints from last session and picks up where you left off |
/remember |
Saves the current finding or technique to memory for future use |
/intel target.com |
Pulls CVEs and past disclosed reports relevant to this target |
/chain |
When you find bug A, this finds bugs B and C that usually come with it |
/scope <asset> |
Checks if a domain or URL is in scope before you test it |
/triage |
Quick 2-minute go/no-go check โ should you keep investigating or move on? |
/web3-audit <contract> |
Full smart contract security audit with 10 bug class checklist |
/token-scan <contract> |
Scans a meme coin or token for rug pull signals (EVM + Solana) |
8 specialized agents, each built for one job:
| Agent | What It Does |
|---|---|
| recon-agent | Finds all subdomains, live hosts, and URLs for a target |
| report-writer | Writes professional, impact-first reports that get paid |
| validator | Runs the 7-Question Gate โ kills weak findings before you waste time |
| web3-auditor | Audits smart contracts for 10 common vulnerability classes |
| chain-builder | When you find one bug, finds the chain of related bugs |
| autopilot | Runs the whole hunt loop autonomously with safety checkpoints |
| recon-ranker | Ranks the attack surface so you test the highest-value targets first |
| token-auditor | Fast meme coin / token rug pull and security analysis |
/remember. Now the flywheel starts on day 1.install_tools.sh added to Quick Start (was missing)hunt-memory/ added to .gitignore (contains full URL history, shouldn't be committed)/token-scan <contract> โ automated rug pull scanner for EVM and Solana tokensskills/meme-coin-audit/ โ 8 token bug classes: mint authority, freeze authority, LP locks, honeypot detection, bonding curve exploits, Solana SPL checkstoken-auditorv3.1.0 โ Hunting Methodology Skill
skills/bb-methodology/ โ mindset + 5-phase non-linear workflow, decision trees per vuln class, 20-min rotation clockv3.0.0 โ The Bionic Hunter
/autopilot โ full autonomous hunt loop with --paranoid, --normal, --yolo modes/intel, /pickup, /remember, /surface commandsv2.1.0 โ 20 Vuln Classes
These are the types of security bugs it looks for in regular websites and APIs:
| Vulnerability | What It Means | Typical Payout |
|---|---|---|
| IDOR | Accessing another user's data by changing a number in the URL | $500 - $5K |
| Auth Bypass | Getting into accounts or admin panels without permission | $1K - $10K |
| XSS | Injecting malicious scripts into web pages | $500 - $5K |
| SSRF | Making the server fetch internal resources it shouldn't | $1K - $15K |
| Business Logic | Exploiting flaws in how the app is supposed to work | $500 - $10K |
| Race Conditions | Sending requests at the same time to get double rewards/credits | $500 - $5K |
| SQL Injection | Manipulating the database through user inputs | $1K - $15K |
| OAuth/OIDC | Breaking the "Login with Google/GitHub" flows | $500 - $5K |
| File Upload | Uploading malicious files that get executed | $500 - $5K |
| GraphQL | Auth bypass and data leaks through GraphQL APIs | $1K - $10K |
| LLM/AI | Prompt injection and IDOR in AI-powered features | $500 - $10K |
| API Misconfig | Mass assignment, JWT attacks, broken CORS | $500 - $5K |
| Account Takeover | Taking over someone else's account | $1K - $20K |
| SSTI | Template injection that leads to code execution | $2K - $10K |
| Subdomain Takeover | Claiming expired subdomains (GitHub Pages, S3, Heroku) | $200 - $5K |
| Cloud/Infra | Exposed S3 buckets, EC2 metadata, Firebase, Kubernetes | $500 - $20K |
| HTTP Smuggling | Confusing front-end and back-end servers to bypass security | $5K - $30K |
| Cache Poisoning | Poisoning CDN caches to serve malicious content to others | $1K - $10K |
| MFA Bypass | Getting past two-factor authentication | $1K - $10K |
| SAML/SSO | Breaking enterprise single sign-on implementations | $2K - $20K |
These are bugs in blockchain smart contracts, common on Immunefi:
| Vulnerability | What It Means | Typical Payout |
|---|---|---|
| Accounting Desync | Contract's math gets out of sync with reality | $50K - $2M |
| Access Control | Functions that should be admin-only aren't | $50K - $2M |
| Incomplete Code Path | Edge cases that drain funds | $50K - $2M |
| Off-By-One | Math errors that let attackers take more than they should | $10K - $100K |
| Oracle Manipulation | Manipulating price feeds to exploit DeFi protocols | $100K - $2M |
| ERC4626 Attacks | Vault share inflation attacks | $50K - $500K |
| Reentrancy | Calling back into a contract before it finishes | $10K - $500K |
| Flash Loan | Using uncollateralized loans to manipulate prices | $100K - $2M |
| Signature Replay | Reusing signed transactions | $10K - $200K |
| Proxy/Upgrade | Exploiting upgradeable contract patterns | $50K - $2M |
# macOS
brew install go python3 node jq
# Linux (Ubuntu/Debian)
sudo apt install golang python3 nodejs jqYou also need Claude Code installed and a free account.
git clone https://github.com/shuvonsec/claude-bug-bounty.git
cd claude-bug-bounty
chmod +x install_tools.sh && ./install_tools.sh # scanning tools (subfinder, httpx, nuclei, etc.)
chmod +x install.sh && ./install.sh # AI skills + commands into Claude Codeexport CHAOS_API_KEY="your-key-here"
echo 'export CHAOS_API_KEY="your-key-here"' >> ~/.zshrcAdd to ~/.config/subfinder/config.yaml:
These apply every session, no exceptions:
1. READ FULL SCOPE FIRST โ only test what the program says you can
2. ONLY REAL BUGS โ "Can an attacker do this RIGHT NOW?" if no, stop
3. KILL WEAK FINDINGS FAST โ 30-second check saves hours of wasted reporting
4. NEVER GO OUT OF SCOPE โ one wrong request can get you banned
5. 5-MINUTE RULE โ no progress after 5 min? move to the next target
6. VALIDATE BEFORE REPORT โ run /validate before you spend 30 min writing
7. IMPACT FIRST โ start with the bugs that have the worst consequences
| Repo | What It's For |
|---|---|
| claude-bug-bounty | This โ full hunting pipeline from recon to report |
| web3-bug-bounty-hunting-ai-skills | Smart contract security โ 10 bug classes, Foundry PoC templates |
| public-skills-builder | Turns 500+ public bug writeups into Claude skill files |
PRs welcome. Best contributions:
skills/security-arsenal/SKILL.mdgit checkout -b feature/your-contribution
git commit -m "Add: short description"
git push origin feature/your-contributionGitHub ย ย |ย ย Twitter ย ย |ย ย LinkedIn ย ย |ย ย Email
For authorized security testing only. Only test targets within an approved bug bounty program scope.
Never test systems without explicit written permission. Follow responsible disclosure.
MIT License ยท Built by bug hunters, for bug hunters.
If this helped you find a bug, leave a star โญ
| Version | Changes | Urgency | Date |
|---|---|---|---|
| v4.0.0 | ## Meme Coin Security Module New `/token-scan` command and full meme coin rug pull detection for EVM and Solana tokens. ### New Files (8) | Component | What It Does | |---|---| | `skills/meme-coin-audit/SKILL.md` | New skill โ rug pull detection, token authority checks, bonding curve exploits | | `tools/token_scanner.py` | Automated red flag scanner โ hidden mint, honeypot, fee traps, LP drain, fake renounce | | `agents/token-auditor.md` | Fast token audit agent (8-class protocol) | | `comman | High | 4/13/2026 |
| v3.0.0 | ## Bionic Hunter Release Transforms Claude Bug Bounty from a knowledge-only tool into a **bionic hacker** -- AI that sees your traffic, remembers past hunts, fetches real-time intel, and runs autonomous hunt loops. ### New Features **Autonomous Hunt Loop** (`/autopilot`) - 7-step loop: scope, recon, rank, hunt, validate, report, checkpoint - 3 modes: `--paranoid` (stop per finding), `--normal` (batch), `--yolo` (minimal checkpoints) - Circuit breaker stops hammering hosts after consecutive fa | Medium | 3/26/2026 |
| v1.0.0 | ## Initial Release AI-assisted bug bounty hunting with Claude Code โ point it at any target and Claude maps the attack surface, runs scanners, validates findings, and writes the HackerOne or Bugcrowd report. ### What's included - Full recon pipeline โ subdomain enum, DNS resolution, live host detection, URL crawling - Vulnerability scanners โ IDOR, SSRF, XSS, SQLi, OAuth, GraphQL, LLM injection, race conditions - AI/LLM testing โ prompt injection, chatbot IDOR, system prompt extraction - Web3 | Low | 3/13/2026 |