Security Bounty Hunter

Use this when the goal is practical vulnerability discovery for responsible disclosure or bounty submission, not a broad best-practices review.

When to Use

Scanning a repository for exploitable vulnerabilities
Preparing a Huntr, HackerOne, or similar bounty submission
Triage where the question is "does this actually pay?" rather than "is this theoretically unsafe?"

How It Works

Bias toward remotely reachable, user-controlled attack paths and throw away patterns that platforms routinely reject as informative or out of scope.

In-Scope Patterns

These are the kinds of issues that consistently matter:

Pattern	CWE	Typical impact
SSRF through user-controlled URLs	CWE-918	internal network access, cloud metadata theft
Auth bypass in middleware or API guards	CWE-287	unauthorized account or data access
Remote deserialization or upload-to-RCE paths	CWE-502	code execution
SQL injection in reachable endpoints	CWE-89	data exfiltration, auth bypass, data destruction
Command injection in request handlers	CWE-78	code execution
Path traversal in file-serving paths	CWE-22	arbitrary file read or write
Auto-triggered XSS	CWE-79	session theft, admin compromise

Skip These

These are usually low-signal or out of bounty scope unless the program says otherwise:

Local-only pickle.loads, torch.load, or equivalent with no remote path
eval() or exec() in CLI-only tooling
shell=True on fully hardcoded commands
Missing security headers by themselves
Generic rate-limiting complaints without exploit impact
Self-XSS requiring the victim to paste code manually
CI/CD injection that is not part of the target program scope
Demo, example, or test-only code

Workflow

Check scope first: program rules, SECURITY.md, disclosure channel, and exclusions.
Find real entrypoints: HTTP handlers, uploads, background jobs, webhooks, parsers, and integration endpoints.
Run static tooling where it helps, but treat it as triage input only.
Read the real code path end to end.
Prove user control reaches a meaningful sink.
Confirm exploitability and impact with the smallest safe PoC possible.
Check for duplicates before drafting a report.

Example Triage Loop

semgrep --config=auto --severity=ERROR --severity=WARNING --json

Then manually filter:

drop tests, demos, fixtures, vendored code
drop local-only or non-reachable paths
keep only findings with a clear network or user-controlled route

Report Structure

## Description
[What the vulnerability is and why it matters]

## Vulnerable Code
[File path, line range, and a small snippet]

## Proof of Concept
[Minimal working request or script]

## Impact
[What the attacker can achieve]

## Affected Version
[Version, commit, or deployment target tested]

Quality Gate

Before submitting:

The code path is reachable from a real user or network boundary
The input is genuinely user-controlled
The sink is meaningful and exploitable
The PoC works
The issue is not already covered by an advisory, CVE, or open ticket
The target is actually in scope for the bounty program

Files1

1 files · 1.0 KB

Select a file to preview

Overall Score

88/100

Grade

A

Excellent

Safety

92

Quality

87

Clarity

88

Completeness

82

Summary

A guided security vulnerability hunting skill that teaches agents how to discover exploitable, bounty-eligible security issues in codebases. It emphasizes remotely reachable vulnerabilities with clear impact over noisy local findings, providing triage workflows and explicit scope boundaries for responsible disclosure preparation.

Detected Capabilities

code analysisstatic analysis tool invocation (semgrep)vulnerability triagedocumentation generationproof of concept development guidance

Trigger Keywords

Phrases that MCP clients use to match this skill to user intent.

bounty huntingvulnerability discoverysecurity triageexploitable vulnerabilitiesresponsible disclosurebounty submissionremotely reachable flawscode review security

Use Cases

Scanning repositories for real exploitable vulnerabilities eligible for bounty submission
Triaging security findings to focus on remotely reachable attack paths with business impact
Preparing vulnerability reports for responsible disclosure platforms (Huntr, HackerOne, etc.)
Differentiating genuine remote vulnerabilities from theoretical local-only issues
Establishing quality gates before submitting security bounty reports

Quality Notes

Excellent scope boundaries: clearly defines in-scope patterns (SSRF, auth bypass, RCE paths, SQLi, command injection, path traversal, XSS) with CWE references
Strong exclusion list that prevents noisy findings: local-only patterns, missing headers, self-XSS, demo code, CI/CD injection out of scope
Practical workflow provides real triage methodology: check scope rules first, find entrypoints, use static tools as input only, read code end-to-end, prove user control
Well-structured report template with required sections: description, vulnerable code, PoC, impact, affected version
Quality gate explicitly defined with six checkpoints before submission, preventing duplicate or low-impact reports
Example semgrep command provided with practical filtering guidance
Clear guidance on what 'exploitable' means: reachable from real boundary, user-controlled input, meaningful sink
Avoids prescribing specific tools or languages, applicable across language/framework ecosystems

Model: claude-haiku-4-5-20251001Analyzed: May 11, 2026

Reviews

Add this skill to your library to leave a review.

No reviews yet

Be the first to share your experience.

Version History

v1.1

Content updated

2026-04-20

Latest

v1.0

No changelog

2026-04-12

security-bounty-hunter