← ClaudeAtlas

bug-bountylisted

Complete bug bounty workflow — recon (subdomain enumeration, asset discovery, fingerprinting, HackerOne scope, source code audit), pre-hunt learning (disclosed reports, tech stack research, mind maps, threat modeling), vulnerability hunting (IDOR, SSRF, XSS, auth bypass, CSRF, race conditions, SQLi, XXE, file upload, business logic, GraphQL, HTTP smuggling, cache poisoning, OAuth, timing side-channels, OIDC, SSTI, subdomain takeover, cloud misconfig, ATO chains, agentic AI), LLM/AI security testing (chatbot IDOR, prompt injection, indirect injection, ASCII smuggling, exfil channels, RCE via code tools, system prompt extraction, ASI01-ASI10), A-to-B bug chaining (IDOR→auth bypass, SSRF→cloud metadata, XSS→ATO, open redirect→OAuth theft, S3→bundle→secret→OAuth), bypass tables (SSRF IP bypass, open redirect bypass, file upload bypass), language-specific grep (JS prototype pollution, Python pickle, PHP type juggling, Go template.HTML, Ruby YAML.load, Rust unwrap), and reporting (7-Question Gate, 4 validation gate
elementalsouls/Claude-BugHunter · ★ 1,478 · AI & Automation · score 83
Install: claude install-skill elementalsouls/Claude-BugHunter
# Bug Bounty Master Workflow Full pipeline: Recon -> Learn -> Hunt -> Validate -> Report. One skill for everything. ## THE ONLY QUESTION THAT MATTERS > **"Can an attacker do this RIGHT NOW against a real user who has taken NO unusual actions -- and does it cause real harm (stolen money, leaked PII, account takeover, code execution)?"** > > If the answer is NO -- **STOP. Do not write. Do not explore further. Move on.** ### Theoretical Bug = Wasted Time. Kill These Immediately: | Pattern | Kill Reason | |---|---| | "Could theoretically allow..." | Not exploitable = not a bug | | "An attacker with X, Y, Z conditions could..." | Too many preconditions | | "Wrong implementation but no practical impact" | Wrong but harmless = not a bug | | Dead code with a bug in it | Not reachable = not a bug | | Source maps without secrets | No impact | | SSRF with DNS-only callback | Need data exfil or internal access | | Open redirect alone | Need ATO or OAuth chain | | "Could be used in a chain if..." | Build the chain first, THEN report | **You must demonstrate actual harm. "Could" is not a bug. Prove it works or drop it.** --- ## CRITICAL RULES 1. **READ FULL SCOPE FIRST** -- verify every asset/domain is owned by the target org 2. **NO THEORETICAL BUGS** -- "Can an attacker steal funds, leak PII, takeover account, or execute code RIGHT NOW?" If no, STOP. 3. **KILL WEAK FINDINGS FAST** -- run the 7-Question Gate BEFORE writing any report 4. **Validate before writing** -- check CHANGE