AI Bug Bounty Hunter

Autonomous bug bounty hunting powered by the Claude Agent SDK. One command, six specialist AI agents, real vulnerability findings.

bountyhunt hunt --platform hackerone --program <handle>

What It Does

An orchestrator agent (Claude Opus) coordinates six specialist agents to run a full bug bounty workflow autonomously:

1. Scope Analyzer — Parses program scope from HackerOne/Bugcrowd, identifies targets, wildcards, and exclusions
2. Recon Agent — Subdomain enumeration, live host probing, URL crawling, header/SSL analysis
3. Web Vuln Agent — Tests for XSS, SQLi, IDOR, SSRF, open redirects, auth bypass, known CVEs
4. API Vuln Agent — Tests REST/GraphQL APIs for BOLA, mass assignment, JWT flaws, rate limit bypass
5. Source Review Agent — Analyzes JavaScript, scans for exposed secrets, audits dependencies
6. Report Writer — Deduplicates findings, assigns CVSS/CWE, generates submission-ready markdown

Each agent has restricted tool access — the recon agent can't make HTTP requests, the API agent can't run nuclei scans. Security boundaries are enforced at the SDK level.

Architecture

CLI (argparse)
 └── Runner (orchestrator prompt + SDK config)
      └── Claude Agent SDK query()
           ├── Orchestrator (Opus) — delegates via Task tool
           │    ├── scope-analyzer (Sonnet)
           │    ├── recon-agent (Sonnet)
           │    ├── web-vuln-agent (Opus)
           │    ├── api-vuln-agent (Opus)
           │    ├── source-review-agent (Sonnet)
           │    └── report-writer (Sonnet)
           │
           └── 6 MCP Servers (19 tools total)
                ├── recon: subfinder, httpx, katana, header/ssl checks
                ├── scanner: nuclei
                ├── http: rate-limited HTTP client
                ├── scope: scope loading, validation
                ├── source: JS analysis, secret scanning, dependency audit
                └── report: finding storage, report generation

Findings are stored incrementally to disk as JSON — if the hunt crashes or you interrupt it, nothing is lost.

Setup

Prerequisites

• Python 3.11+
• Claude Agent SDK
• External tools (install via Go): subfinder, httpx, nuclei, katana

Install

git clone https://github.com/eliBenven/aibugbounty.git
cd aibugbounty
pip install -e ".[dev]"

# Copy and edit config
cp config.example.yaml config.yaml
# Edit config.yaml with your tool paths (or leave null for auto-detect from PATH)

# Set your API key
export ANTHROPIC_API_KEY=sk-ant-...

Install Go tools

go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
go install -v github.com/projectdiscovery/katana/cmd/katana@latest

Usage

Hunt a HackerOne program

bountyhunt hunt --platform hackerone --program <program-handle>

Hunt specific URLs

bountyhunt hunt --url https://example.com --url https://api.example.com

View program scope

bountyhunt scope <program-handle> --platform hackerone

Regenerate report from saved findings

bountyhunt report --findings-dir data/findings/<program> --program-name "Program Name"

Options

--mode passive|active|full    Hunt mode (default: full)
--budget 10.00                Override max API budget in USD
--verbose                     Show full agent messages

How It Works

The orchestrator runs 5 phases:

1. Scope — Delegates to scope-analyzer to parse and validate the program scope
2. Recon — Delegates to recon-agent to enumerate subdomains, probe live hosts, crawl URLs
3. Vulnerability Testing — Launches web-vuln, api-vuln, and source-review agents in parallel with specific targets from recon
4. Follow-up — Investigates interesting leads from phase 3
5. Report — Delegates to report-writer to compile and deduplicate all findings

Every finding requires concrete evidence (HTTP requests/responses, tool output) — the system rejects findings without proof.

Configuration

See config.example.yaml for all options:

• Model assignments — Which Claude model each agent uses
• Rate limiting — HTTP requests per minute (sliding window)
• Budget cap — Maximum API spend per hunt
• Tool paths — Paths to Go tools (auto-detected from PATH if null)
• Nuclei settings — Rate limit, concurrency, severity filter

Tests

pytest tests/ -v

58 tests covering models, parsers, tools, config, and SDK size limits.

Cost

A typical full hunt runs 30-40 turns and costs $5-15 depending on scope size and number of targets. The --budget flag lets you set a hard cap.

Disclaimer

This tool is intended for authorized security testing only.

• Only use this tool against programs and targets where you have explicit authorization to test
• Respect all bug bounty program rules, rate limits, and scope boundaries
• The tool includes rate limiting and scope validation, but you are responsible for ensuring your testing is authorized
• The authors are not responsible for misuse of this tool or any unauthorized testing
• Findings should be reported through proper disclosure channels (HackerOne, Bugcrowd, etc.)

This tool performs active security testing including subdomain enumeration, web crawling, vulnerability scanning, and HTTP request fuzzing. Running it against targets without authorization may violate computer fraud and abuse laws.

License

MIT — see LICENSE.