security-bounty-hunter
$
npx mdskill add affaan-m/ECC/security-bounty-hunterTarget high-value remote vulnerabilities for bounty submission.
- Identifies exploitable issues eligible for real security bounties.
- Prioritizes SSRF, injection, and deserialization flaws over noise.
- Filters out local-only findings and out-of-scope patterns.
- Delivers actionable reports ready for HackerOne or similar platforms.
SKILL.md
.github/skills/security-bounty-hunterView on GitHub ↗
--- name: security-bounty-hunter description: Hunt for exploitable, bounty-worthy security issues in repositories. Focuses on remotely reachable vulnerabilities that qualify for real reports instead of noisy local-only findings. origin: ECC direct-port adaptation version: "1.0.0" --- # Security Bounty Hunter Use this when the goal is practical vulnerability discovery for responsible disclosure or bounty submission, not a broad best-practices review. ## When to Use - Scanning a repository for exploitable vulnerabilities - Preparing a Huntr, HackerOne, or similar bounty submission - Triage where the question is "does this actually pay?" rather than "is this theoretically unsafe?" ## How It Works Bias toward remotely reachable, user-controlled attack paths and throw away patterns that platforms routinely reject as informative or out of scope. ## In-Scope Patterns These are the kinds of issues that consistently matter: | Pattern | CWE | Typical impact | | --- | --- | --- | | SSRF through user-controlled URLs | CWE-918 | internal network access, cloud metadata theft | | Auth bypass in middleware or API guards | CWE-287 | unauthorized account or data access | | Remote deserialization or upload-to-RCE paths | CWE-502 | code execution | | SQL injection in reachable endpoints | CWE-89 | data exfiltration, auth bypass, data destruction | | Command injection in request handlers | CWE-78 | code execution | | Path traversal in file-serving paths | CWE-22 | arbitrary file read or write | | Auto-triggered XSS | CWE-79 | session theft, admin compromise | ## Skip These These are usually low-signal or out of bounty scope unless the program says otherwise: - Local-only `pickle.loads`, `torch.load`, or equivalent with no remote path - `eval()` or `exec()` in CLI-only tooling - `shell=True` on fully hardcoded commands - Missing security headers by themselves - Generic rate-limiting complaints without exploit impact - Self-XSS requiring the victim to paste code manually - CI/CD injection that is not part of the target program scope - Demo, example, or test-only code ## Workflow 1. Check scope first: program rules, SECURITY.md, disclosure channel, and exclusions. 2. Find real entrypoints: HTTP handlers, uploads, background jobs, webhooks, parsers, and integration endpoints. 3. Run static tooling where it helps, but treat it as triage input only. 4. Read the real code path end to end. 5. Prove user control reaches a meaningful sink. 6. Confirm exploitability and impact with the smallest safe PoC possible. 7. Check for duplicates before drafting a report. ## Example Triage Loop ```bash semgrep --config=auto --severity=ERROR --severity=WARNING --json ``` Then manually filter: - drop tests, demos, fixtures, vendored code - drop local-only or non-reachable paths - keep only findings with a clear network or user-controlled route ## Report Structure ```markdown ## Description [What the vulnerability is and why it matters] ## Vulnerable Code [File path, line range, and a small snippet] ## Proof of Concept [Minimal working request or script] ## Impact [What the attacker can achieve] ## Affected Version [Version, commit, or deployment target tested] ``` ## Quality Gate Before submitting: - The code path is reachable from a real user or network boundary - The input is genuinely user-controlled - The sink is meaningful and exploitable - The PoC works - The issue is not already covered by an advisory, CVE, or open ticket - The target is actually in scope for the bounty program
More from affaan-m/ECC
- accessibilityDesign, implement, and audit inclusive digital products using WCAG 2.2 Level AA
- agent-architecture-auditFull-stack diagnostic for agent and LLM applications. Audits the 12-layer agent stack for wrapper regression, memory pollution, tool discipline failures, hidden repair loops, and rendering corruption. Produces severity-ranked findings with code-first fixes. Essential for developers building agent applications, autonomous loops, or any LLM-powered feature.
- agent-evalHead-to-head comparison of coding agents (Claude Code, Aider, Codex, etc.) on custom tasks with pass rate, cost, time, and consistency metrics
- agent-harness-constructionDesign and optimize AI agent action spaces, tool definitions, and observation formatting for higher completion rates.
- agent-introspection-debuggingStructured self-debugging workflow for AI agent failures using capture, diagnosis, contained recovery, and introspection reports.
- agent-payment-x402Add x402 payment execution to AI agents with per-task budgets, spending controls, and non-custodial wallets. Supports Base through agentwallet-sdk and X Layer through OKX Payments / OKX Agent Payments Protocol.
- agent-sortBuild an evidence-backed ECC install plan for a specific repo by sorting skills, commands, rules, hooks, and extras into DAILY vs LIBRARY buckets using parallel repo-aware review passes. Use when ECC should be trimmed to what a project actually needs instead of loading the full bundle.
- agentic-engineeringOperate as an agentic engineer using eval-first execution, decomposition, and cost-aware model routing.
- agentic-osBuild persistent multi-agent operating systems on Claude Code. Covers kernel architecture, specialist agents, slash commands, file-based memory, scheduled automation, and state management without external databases.
- ai-first-engineeringEngineering operating model for teams where AI agents generate a large share of implementation output.