Your AI hunting partner that remembers past targets, spots vulnerabilities, and writes reports for you.
The community made a meme coin to support the project CA: J6VzBAGnyyNEyzyHhauwg3ofRctFxnTLzQCcjUdGpump
by shuvonsec
What Is This? | Quick Start | Commands | What's New | Install | FAQ | Terms
14 commands · 8 AI agents · 9 skill domains
20 web2 vuln classes · 10 web3 bug classes
Burp MCP · HackerOne MCP · Autonomous Mode
Bug bounty hunting is when companies pay you real money to find security vulnerabilities in their websites and apps before bad actors do. Platforms like HackerOne and Bugcrowd connect hunters with companies. Payouts range from $100 to $1,000,000+ depending on severity.
This tool is a plugin for Claude Code (Anthropic's AI coding assistant) that turns it into a professional bug bounty hunting partner. Instead of juggling 15 different tools and writing reports from scratch, you just type a command and the AI handles the rest.
In plain terms:
- You give it a target website
- It automatically scans the site, finds vulnerabilities, validates they're real, and writes a professional report
- It remembers what you found on past targets and applies that knowledge to new ones
- You can even put it on autopilot and let it hunt on its own while you sleep
Who is it for?
- Security researchers who want to move faster
- Bug bounty hunters who are tired of the manual grind
- People learning security who want AI guidance at every step
Most hunters waste hours on things that shouldn't take that long:
- Manually running 10+ tools in the right order just to map a target
- Writing the same report structure from scratch every single time (45 min each)
- Forgetting that a technique worked on a similar target 3 months ago
- Submitting bugs that get rejected because they weren't properly validated first
- Jumping between terminal windows, browser, notes, and report drafts
| Before | After |
|---|---|
| Run 10+ tools manually, hope for the best | AI orchestrates everything in the right order |
| Write reports from scratch (45 min each) | Report-writer agent generates submission-ready reports in 60s |
| Forget what worked last month | Memory system — patterns from target A inform target B |
| Submit bugs without proper validation | 7-Question Gate kills weak findings before you waste time reporting |
| Can't see live browser traffic | Burp MCP — AI reads your proxy history in real time |
| Hunt one endpoint at a time | /autopilot runs the full hunt loop while you watch |
Prerequisite: You need Claude Code installed. It's Anthropic's free AI coding tool that runs in your terminal.
Step 1 — Install tools + skills
git clone https://github.com/shuvonsec/claude-bug-bounty.git
cd claude-bug-bounty
chmod +x install_tools.sh && ./install_tools.sh # installs scanning tools (subfinder, httpx, nuclei...)
chmod +x install.sh && ./install.sh # installs AI skills + commands into Claude CodeStep 2 — Start hunting
claude # open Claude Code in your terminal
/recon target.com # step 1: map the target (subdomains, live pages, URLs)
/hunt target.com # step 2: test for vulnerabilities
/validate # step 3: make sure the finding is real before writing it up
/report # step 4: generate a professional submission reportThat's the core loop. Four commands, full workflow.
Step 3 — Go autonomous
/autopilot target.com --normal # AI does the whole thing, pauses for your review at the end
/pickup target.com # continue where you left off on a previous target
/intel target.com # get CVEs + disclosed reports relevant to this targetDon't use Claude Code? Run the Python tools directly:
python3 tools/hunt.py --target target.com ./tools/recon_engine.sh target.com
Think of it like a team of specialists, each doing one job:
YOU
|
┌─────▼─────┐
│ Claude │ ◄── Burp MCP (sees your browser traffic)
│ Code │ ◄── HackerOne MCP (program intel)
└─────┬─────┘
|
┌───────────────┼───────────────┐
| | |
┌─────▼─────┐ ┌──────▼──────┐ ┌────▼────┐
│ Recon │ │ Hunt │ │ Report │
│ (map it) │ │ (test it) │ │(write it│
└─────┬─────┘ └──────┬──────┘ └────┬────┘
| | |
finds all checks for formats for
subdomains, vulnerabilities HackerOne /
URLs, APIs & validates Bugcrowd /
findings Immunefi
| | |
┌─────▼───────────────▼───────────────▼─────┐
│ Hunt Memory │
│ remembers everything across sessions │
└────────────────────────────────────────────┘
Each step feeds the next. Claude orchestrates all of it, or you run any step on its own.
| Command | What It Does | When To Use |
|---|---|---|
/recon target.com |
Maps the target — finds all subdomains, live pages, APIs, and runs basic scans | Always first |
/hunt target.com |
Actively tests for vulnerabilities using the right technique for the tech stack | After recon |
/validate |
Runs a 7-question check to confirm a finding is real before you write it up | Before every report |
/report |
Generates a professional submission report for H1/Bugcrowd/Intigriti/Immunefi | After validation |
| Command | What It Does |
|---|---|
/autopilot target.com |
AI runs the full loop automatically — recon → hunt → validate → report |
/surface target.com |
Shows a ranked list of the best places to test (based on your past findings) |
/pickup target.com |
Shows untested endpoints from last session and picks up where you left off |
/remember |
Saves the current finding or technique to memory for future use |
/intel target.com |
Pulls CVEs and past disclosed reports relevant to this target |
/chain |
When you find bug A, this finds bugs B and C that usually come with it |
/scope <asset> |
Checks if a domain or URL is in scope before you test it |
/triage |
Quick 2-minute go/no-go check — should you keep investigating or move on? |
/web3-audit <contract> |
Full smart contract security audit with 10 bug class checklist |
/token-scan <contract> |
Scans a meme coin or token for rug pull signals (EVM + Solana) |
8 specialized agents, each built for one job:
| Agent | What It Does |
|---|---|
| recon-agent | Finds all subdomains, live hosts, and URLs for a target |
| report-writer | Writes professional, impact-first reports that get paid |
| validator | Runs the 7-Question Gate — kills weak findings before you waste time |
| web3-auditor | Audits smart contracts for 10 common vulnerability classes |
| chain-builder | When you find one bug, finds the chain of related bugs |
| autopilot | Runs the whole hunt loop autonomously with safety checkpoints |
| recon-ranker | Ranks the attack surface so you test the highest-value targets first |
| token-auditor | Fast meme coin / token rug pull and security analysis |
- Auto-memory at session end — the AI now automatically logs what it tested and found after every hunt session. Memory used to stay empty until you manually ran
/remember. Now the flywheel starts on day 1. - README badge and stats updated,
install_tools.shadded to Quick Start (was missing) hunt-memory/added to.gitignore(contains full URL history, shouldn't be committed)
/token-scan <contract>— automated rug pull scanner for EVM and Solana tokensskills/meme-coin-audit/— 8 token bug classes: mint authority, freeze authority, LP locks, honeypot detection, bonding curve exploits, Solana SPL checks- New agent:
token-auditor
- GitHub Actions security scanning built into the recon pipeline
- Auto-detects GitHub orgs from recon data and scans their workflow files
- 52 rules, 81.6% GHSA coverage — catches expression injection, secret leaks, supply chain attacks
Older releases (v3.1.0, v3.0.0, v2.x)
v3.1.0 — Hunting Methodology Skill
skills/bb-methodology/— mindset + 5-phase non-linear workflow, decision trees per vuln class, 20-min rotation clock
v3.0.0 — The Bionic Hunter
/autopilot— full autonomous hunt loop with--paranoid,--normal,--yolomodes- Hunt memory — journal, pattern DB, target profiles, cross-target learning
- Burp MCP — AI reads your proxy history in real time
- HackerOne MCP — search disclosed reports, get program stats and policy
/intel,/pickup,/remember,/surfacecommands
v2.1.0 — 20 Vuln Classes
- MFA/2FA bypass and SAML/SSO attacks added (classes 19 and 20)
- NoSQL injection, command injection, SSTI, HTTP smuggling, WebSocket payloads added to arsenal
20 Web2 Vulnerability Classes — click to expand
These are the types of security bugs it looks for in regular websites and APIs:
| Vulnerability | What It Means | Typical Payout |
|---|---|---|
| IDOR | Accessing another user's data by changing a number in the URL | $500 - $5K |
| Auth Bypass | Getting into accounts or admin panels without permission | $1K - $10K |
| XSS | Injecting malicious scripts into web pages | $500 - $5K |
| SSRF | Making the server fetch internal resources it shouldn't | $1K - $15K |
| Business Logic | Exploiting flaws in how the app is supposed to work | $500 - $10K |
| Race Conditions | Sending requests at the same time to get double rewards/credits | $500 - $5K |
| SQL Injection | Manipulating the database through user inputs | $1K - $15K |
| OAuth/OIDC | Breaking the "Login with Google/GitHub" flows | $500 - $5K |
| File Upload | Uploading malicious files that get executed | $500 - $5K |
| GraphQL | Auth bypass and data leaks through GraphQL APIs | $1K - $10K |
| LLM/AI | Prompt injection and IDOR in AI-powered features | $500 - $10K |
| API Misconfig | Mass assignment, JWT attacks, broken CORS | $500 - $5K |
| Account Takeover | Taking over someone else's account | $1K - $20K |
| SSTI | Template injection that leads to code execution | $2K - $10K |
| Subdomain Takeover | Claiming expired subdomains (GitHub Pages, S3, Heroku) | $200 - $5K |
| Cloud/Infra | Exposed S3 buckets, EC2 metadata, Firebase, Kubernetes | $500 - $20K |
| HTTP Smuggling | Confusing front-end and back-end servers to bypass security | $5K - $30K |
| Cache Poisoning | Poisoning CDN caches to serve malicious content to others | $1K - $10K |
| MFA Bypass | Getting past two-factor authentication | $1K - $10K |
| SAML/SSO | Breaking enterprise single sign-on implementations | $2K - $20K |
10 Web3 / Smart Contract Bug Classes — click to expand
These are bugs in blockchain smart contracts, common on Immunefi:
| Vulnerability | What It Means | Typical Payout |
|---|---|---|
| Accounting Desync | Contract's math gets out of sync with reality | $50K - $2M |
| Access Control | Functions that should be admin-only aren't | $50K - $2M |
| Incomplete Code Path | Edge cases that drain funds | $50K - $2M |
| Off-By-One | Math errors that let attackers take more than they should | $10K - $100K |
| Oracle Manipulation | Manipulating price feeds to exploit DeFi protocols | $100K - $2M |
| ERC4626 Attacks | Vault share inflation attacks | $50K - $500K |
| Reentrancy | Calling back into a contract before it finishes | $10K - $500K |
| Flash Loan | Using uncollateralized loans to manipulate prices | $100K - $2M |
| Signature Replay | Reusing signed transactions | $10K - $200K |
| Proxy/Upgrade | Exploiting upgradeable contract patterns | $50K - $2M |
# macOS
brew install go python3 node jq
# Linux (Ubuntu/Debian)
sudo apt install golang python3 nodejs jqYou also need Claude Code installed and a free account.
git clone https://github.com/shuvonsec/claude-bug-bounty.git
cd claude-bug-bounty
chmod +x install_tools.sh && ./install_tools.sh # scanning tools (subfinder, httpx, nuclei, etc.)
chmod +x install.sh && ./install.sh # AI skills + commands into Claude CodeChaos API (recommended for better subdomain discovery)
- Sign up free at chaos.projectdiscovery.io
- Add your key:
export CHAOS_API_KEY="your-key-here"
echo 'export CHAOS_API_KEY="your-key-here"' >> ~/.zshrcOptional keys (even better subdomain coverage)
Add to ~/.config/subfinder/config.yaml:
- VirusTotal — free
- SecurityTrails — free tier
- Censys — free tier
- Shodan — paid
These apply every session, no exceptions:
1. READ FULL SCOPE FIRST — only test what the program says you can
2. ONLY REAL BUGS — "Can an attacker do this RIGHT NOW?" if no, stop
3. KILL WEAK FINDINGS FAST — 30-second check saves hours of wasted reporting
4. NEVER GO OUT OF SCOPE — one wrong request can get you banned
5. 5-MINUTE RULE — no progress after 5 min? move to the next target
6. VALIDATE BEFORE REPORT — run /validate before you spend 30 min writing
7. IMPACT FIRST — start with the bugs that have the worst consequences
| Repo | What It's For |
|---|---|
| claude-bug-bounty | This — full hunting pipeline from recon to report |
| web3-bug-bounty-hunting-ai-skills | Smart contract security — 10 bug classes, Foundry PoC templates |
| public-skills-builder | Turns 500+ public bug writeups into Claude skill files |
PRs welcome. Best contributions:
- New vulnerability scanners or detection modules
- Payload additions to
skills/security-arsenal/SKILL.md - Real-world methodology improvements (with evidence from paid reports)
- Support for more platforms (YesWeHack, Synack, HackenProof)
git checkout -b feature/your-contribution
git commit -m "Add: short description"
git push origin feature/your-contributionGitHub | Twitter | LinkedIn | Email
For authorized security testing only. Only test targets within an approved bug bounty program scope.
Never test systems without explicit written permission. Follow responsible disclosure.
MIT License · Built by bug hunters, for bug hunters.
If this helped you find a bug, leave a star ⭐