A community-driven registry for Claude, Cursor, Windsurf, Cline & more. Not affiliated with Anthropic.
Are you the author? Sign in to claim
AI-powered bug bounty hunting from your terminal - recon, 20 vuln classes, autonomous hunting, and report generation.
AI-powered bug bounty hunting — recon to report, in your terminal.
Find vulnerabilities. Validate them. Get paid. No subscription required.
Free Setup · Quick Start · Commands · What It Finds · Install · FAQ
A professional bug bounty hunting toolkit that works with or without a Claude subscription. Give it a target — it handles recon, tests for vulnerabilities, validates findings through a strict gate, and writes submission-ready reports for HackerOne, Bugcrowd, Intigriti, and Immunefi.
It remembers everything. Patterns found on one target inform the next. Sessions pick up where they left off.
Works as a Claude Code plugin or as a fully standalone CLI (bughunter) powered by free AI providers.
You no longer need Claude Code, Claude Pro, or any paid AI subscription.
Install once, use the bughunter command from any terminal on your machine:
git clone https://github.com/shuvonsec/claude-bug-bounty.git
cd claude-bug-bounty
./install.sh --agent standalone
bughunter help # show every command
bughunter setup # choose your AI provider (Ollama is free + offline)
bughunter recon target.com # map the attack surface
bughunter hunt target.com # hunt for vulnerabilities
bughunter validate "finding" # 7-Question Gate on your finding
bughunter report # write a submission-ready report
bughunter chat # interactive AI hunting shell
bughunter providers # list all available AI providers
bughunter status # check which provider is active
bughunter h target.com # short alias for hunt
bughunter r target.com # short alias for recon
bughunter v "finding" # short alias for validate
| Provider | Cost | Privacy | Speed | Get Started |
|---|---|---|---|---|
| Ollama | 100% free · runs locally | Full — stays on your machine | Fast | ollama pull qwen2.5:14b |
| Groq | Free tier available | Cloud | Very fast | console.groq.com → get API key |
| DeepSeek | Very cheap ($0.001/1K tokens) | Cloud | Fast | platform.deepseek.com |
| Claude API | Paid | Cloud | Fast | console.anthropic.com |
| OpenAI | Paid | Cloud | Fast | platform.openai.com |
BugHunter auto-detects providers in this order: Ollama → Groq → DeepSeek → Claude → OpenAI
Switch providers anytime: bughunter setup
# 1. Install Ollama (runs AI locally, no internet needed after download)
curl -fsSL https://ollama.ai/install.sh | sh
ollama pull qwen2.5:14b # ~9 GB, one-time download
# 2. Install BugHunter
git clone https://github.com/shuvonsec/claude-bug-bounty.git
cd claude-bug-bounty
./install.sh --agent standalone # creates system-wide 'bughunter' command
# 3. Hunt
bughunter setup # choose Ollama
bughunter recon target.com
export GROQ_API_KEY="your-key-here" # free at console.groq.com
./install.sh --agent standalone
bughunter setup # choose Groq
bughunter hunt target.com
Option A — standalone (no subscription, works for everyone)
git clone https://github.com/shuvonsec/claude-bug-bounty.git
cd claude-bug-bounty
./install.sh --agent standalone # creates system-wide 'bughunter' command
bughunter setup # pick a free AI provider
bughunter recon target.com
bughunter hunt target.com
bughunter validate "my finding"
bughunter report
Option B — Claude Code plugin (requires Claude Code)
git clone https://github.com/shuvonsec/claude-bug-bounty.git
cd claude-bug-bounty
chmod +x install_tools.sh && ./install_tools.sh # subfinder · httpx · nuclei · katana · ffuf
chmod +x install.sh && ./install.sh # skills + commands → ~/.claude/
claude
/recon target.com # map the attack surface
/hunt target.com # test for vulnerabilities
/validate # run the 7-Question Gate
/report # write the submission
Option C — let Claude install it (Claude Code only)
Open your terminal, run claude, then paste:
Install the Claude Bug Bounty toolkit from https://github.com/shuvonsec/claude-bug-bounty
into ~/tools/. Clone the repo, run ./install_tools.sh then ./install.sh.
Verify /recon /hunt /validate /report are available.
| Command | What It Does |
|---|---|
/recon target.com | Subdomain enum · live host probing · URL crawl · nuclei sweep |
/hunt target.com | Tests IDOR · auth bypass · SSRF · XSS · SQLi · logic flaws and more |
/validate | 7-Question Gate — kills weak findings before you waste time reporting |
/report | Generates an H1 · Bugcrowd · Intigriti · Immunefi submission in 60s |
/autopilot target.com | Full loop, autonomous — scope → recon → hunt → validate → report |
| Command | What It Does |
|---|---|
/surface target.com | Ranked attack surface from recon data + memory |
/scope-aggregate <program> | All in-scope assets across H1 · Bugcrowd · Intigriti · YWH · Immunefi |
/cloud-recon --keyword <name> | Public S3 · Azure · GCP buckets + CloudFlare-bypass origin IPs |
/param-discover <url> | Hidden HTTP parameters via Arjun · x8 |
/secrets-hunt --js-bundle <dir> | Leaked credentials in source, JS bundles, or a GitHub org |
/takeover --recon <dir> | Subdomain takeover candidates via dnsReaper · subjack |
/scan-cves <host> | Focused nuclei high/critical sweep + optional log4j-scan |
/bypass-403 <url> | Header · method · encoding tricks against 403/401 |
| Command | What It Does |
|---|---|
/web3-audit <contract.sol> | 10-class smart contract audit with Foundry PoC template |
/token-scan <contract> | Rug pull scanner — mint authority · LP lock · honeypot · bonding curve |
| Command | What It Does |
|---|---|
/pickup target.com | Resume from last session — untested endpoints first |
/intel target.com | CVEs + disclosed reports relevant to this target |
/chain | Bug A found → finds bugs B and C that chain with it |
/scope <asset> | Checks if a domain or URL is in scope before you test it |
/triage | Quick 2-minute go/no-go check |
/remember | Logs the current finding or technique to hunt memory |
/memory-gc | Inspect or rotate hunt-memory JSONL files (10 MB cap, 3 backups) |
/arsenal [tool] | Lists installed external tools or prints an install hint |
| Vulnerability | Typical Payout |
|---|---|
| IDOR / BOLA | $500 – $5K |
| Auth Bypass | $1K – $10K |
| XSS (Stored / Reflected / DOM) | $500 – $5K |
| SSRF | $1K – $15K |
| Business Logic | $500 – $10K |
| Race Conditions | $500 – $5K |
| SQL Injection | $1K – $15K |
| OAuth / OIDC | $500 – $5K |
| File Upload → RCE | $500 – $10K |
| GraphQL Auth Bypass | $1K – $10K |
| LLM / Prompt Injection | $500 – $10K |
| API Misconfiguration (mass assignment · JWT · CORS) | $500 – $5K |
| Account Takeover | $1K – $20K |
| SSTI | $2K – $10K |
| Subdomain Takeover | $200 – $5K |
| Cloud / Infra Exposure | $500 – $20K |
| HTTP Request Smuggling | $5K – $30K |
| Cache Poisoning | $1K – $10K |
| MFA / 2FA Bypass | $1K – $10K |
| SAML / SSO Attack | $2K – $20K |
| Vulnerability | Typical Payout |
|---|---|
| Accounting Desync | $50K – $2M |
| Access Control | $50K – $2M |
| Incomplete Code Path | $50K – $2M |
| Off-By-One | $10K – $100K |
| Oracle Manipulation | $100K – $2M |
| ERC4626 Share Inflation | $50K – $500K |
| Reentrancy | $10K – $500K |
| Flash Loan Attack | $100K – $2M |
| Signature Replay | $10K – $200K |
| Proxy / Upgrade | $50K – $2M |
Nine specialists, each built for one job:
| Agent | Role |
|---|---|
recon-agent | Subdomain enum · live host discovery · URL crawl |
report-writer | Impact-first reports that get paid, not N/A'd |
validator | Runs the 7-Question Gate — kills weak findings |
web3-auditor | Smart contract audit across 10 bug classes |
chain-builder | Bug A → finds bugs B and C that chain with it |
autopilot | Full hunt loop with safety checkpoints |
recon-ranker | Ranks attack surface by highest-value targets first |
token-auditor | Meme coin / token rug pull and security scan |
credential-hunter | Wordlist gen → OSINT → breach-check → spray (hard-stop before spray) |
You → /recon → /hunt → /validate → /report
↓ ↓
Hunt Memory 7-Question Gate
(persists across (kills weak findings
sessions) before you submit)
Every tool in the pipeline is gated on whether it's installed — missing tools are skipped, not errors. Auth headers set once carry through httpx · katana · ffuf · nuclei · dalfox automatically.
claude-bug-bounty/
│
├── skills/ # AI knowledge bases — loaded as /skill-name
│ ├── bug-bounty/ # Master workflow — all vuln classes, LLM testing, chains
│ ├── bb-methodology/ # Hunting mindset · 5-phase workflow · session discipline
│ ├── web2-recon/ # Subdomain enum · live host discovery · URL crawl
│ ├── web2-vuln-classes/ # 21 bug classes with bypass tables
│ ├── security-arsenal/ # Payloads · bypass tables · gf patterns
│ ├── triage-validation/ # 7-Question Gate · 4 gates · never-submit list
│ ├── report-writing/ # Templates for H1 · Bugcrowd · Intigriti · Immunefi
│ ├── web3-audit/ # Smart contract bugs · Foundry PoC · 10 bug classes
│ ├── meme-coin-audit/ # Rug pull detection · LP attacks · bonding curve
│ └── credential-attack/ # Password spray methodology · legal guardrails
│
├── commands/ # 26 slash commands (/recon /hunt /validate /report …)
├── agents/ # 9 specialized AI agents (recon, validator, reporter …)
│
├── tools/ # Python + shell scanner pipeline (~35 tools)
│ ├── hunt.py # Master orchestrator
│ ├── recon_engine.sh # Subdomain + URL discovery
│ ├── vuln_scanner.sh # XSS · SQLi · SSRF · SSTI probe pipeline
│ ├── validate.py # 4-gate finding validator with identity checks
│ └── … # 30+ more scanners — see tools/README.md
│
├── memory/ # Cross-session hunt memory (pattern DB · audit log)
├── rules/ # Always-active hunting + reporting rules
├── tests/ # Regression test suite (pytest)
├── web3/ # 13-chapter smart contract audit guide
├── mcp/ # MCP integrations — Burp Suite · Caido · HackerOne API
├── wordlists/ # Curated wordlists + SecLists / PayloadsAllTheThings refs
├── scripts/ # Dork runner · full hunt pipeline
├── hooks/ # Claude Code hook configuration
├── site/ # bughunter.fun landing page
├── demo/ # Local vulnerable target for tutorial recordings
│
├── docs/ # Extended documentation
│ ├── advanced-techniques.md # Exploitation techniques + chaining strategies
│ ├── auth-sessions.md # Auth header management guide
│ ├── payloads.md # Payload reference for common vuln classes
│ ├── smart-contract-audit.md# Smart contract audit deep-dive
│ ├── TUTORIAL.md # A→Z video tutorial walkthrough
│ └── TODOS.md # Open improvement items
│
├── .github/ # GitHub community health files
│ ├── CONTRIBUTING.md # How to contribute
│ ├── CODE_OF_CONDUCT.md # Community standards
│ ├── SECURITY.md # Vulnerability reporting policy
│ ├── PULL_REQUEST_TEMPLATE.md
│ └── ISSUE_TEMPLATE/ # Bug report · Feature request · False positive
│
├── engine.py # Standalone CLI — 'bughunter' command, no subscription needed
├── brain.py # Multi-provider LLM layer (Ollama · Groq · DeepSeek · Claude · OpenAI)
├── agent.py # LangGraph-style ReAct hunting agent
├── install.sh # Install skills + commands → ~/.claude/ (or standalone mode)
├── install_tools.sh # Install subfinder · httpx · nuclei · katana · ffuf …
├── uninstall.sh # Remove skills + commands from ~/.claude/
├── uninstall_tools.sh # Remove external scanning tools
├── serve.py # Launch local demo target (python3 serve.py)
├── config.example.json # Auth session config template
├── requirements.txt # Python dependencies
├── CLAUDE.md # Claude Code plugin manifest (auto-loaded)
├── AGENTS.md # Multi-harness plugin guide (OpenCode · Codex · Pi)
├── SKILL.md # Master skill shortcut (auto-loaded by agent harnesses)
├── OPENCODE.md # OpenCode-specific installation guide
├── CHANGELOG.md # Version history
├── FAQ.md # Frequently asked questions
└── TERMS.md # Terms of use + authorized testing only
Prerequisites:
# macOS
brew install go python3 jq
# Linux (Ubuntu/Debian)
sudo apt install golang python3 jq
Scanning tools (installs subfinder · httpx · nuclei · katana · ffuf · gau · dnsx · nmap · dalfox and more):
chmod +x install_tools.sh && ./install_tools.sh
Standalone bughunter command (no subscription, works without Claude Code):
./install.sh --agent standalone
bughunter setup # choose Ollama (free) · Groq (free tier) · DeepSeek (cheap) · Claude · OpenAI
AI skills + commands into Claude Code:
chmod +x install.sh && ./install.sh
Other agent harnesses:
./install.sh --agent opencode # OpenCode
./install.sh --agent pi # Pi Agent
./install.sh --agent codex # Codex
./install.sh --agent all # every supported target
Optional: Chaos API key (better subdomain coverage)
export CHAOS_API_KEY="your-key"
echo 'export CHAOS_API_KEY="your-key"' >> ~/.zshrc
These run every session, no exceptions:
1. Read full scope first — only test what the program says you can
2. Real bugs only — "Can an attacker do this RIGHT NOW?" if no, stop
3. Kill weak findings — 30-second check saves hours of wasted reporting
4. Never go out of scope — one wrong request can get you banned
5. 5-minute rule — no progress after 5 min? move to the next target
6. Validate before report — /validate before spending 30 min writing
7. Impact first — test the bugs with the worst consequences first
PRs welcome. Most valuable:
skills/security-arsenal/SKILL.mdgit checkout -b feature/your-contribution
git commit -m "feat: short description"
git push origin feature/your-contribution
GitHub · Twitter · shuvonsec@gmail.com
Built by bug hunters, for bug hunters.
MIT License · For authorized security testing only. Always test within an approved bug bounty program scope.
Native macOS app to monitor Claude AI usage limits and watch your coding sessions live
npx CLI installing 100+ agents, commands, hooks, and integrations in one command
干净、强大、属于你的 AI Agent 平台 --AI agents, without the clutter.
Pocket Flow: Codebase to Tutorial