OpenSkillIndex← back to search
claude-codesecurity

Claude-skill-registry bug-bounty-methodology

Target-agnostic bug bounty hunting methodology with parallel recon, systematic testing workflows, and vulnerability-specific exploitation guidance

install
source · Clone the upstream repo
git clone https://github.com/majiayu000/claude-skill-registry
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/majiayu000/claude-skill-registry "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/data/bug-bounty-methodology" ~/.claude/skills/majiayu000-claude-skill-registry-bug-bounty-methodology && rm -rf "$T"
manifest: skills/data/bug-bounty-methodology/SKILL.md
tags
#bug-bounty#vulnerability-testing#reconnaissance#exploitation-guidance#security-testing
source content

Bug Bounty Methodology Skill

Overview

This skill provides a complete, target-agnostic bug bounty hunting methodology inspired by industry experts like Hadx and Daniel Miessler. It emphasizes systematic reconnaissance, parallel execution for efficiency, and vulnerability-specific testing workflows that apply to any web application target.

Core Philosophy

Three-Phase Approach:

  1. Intelligence Gathering (Passive Recon) - No direct target interaction
  2. Active Enumeration - Verification and endpoint discovery
  3. Targeted Exploitation - Vulnerability-specific testing based on findings

Key Principles:

  • Target-agnostic workflows that apply universally
  • Parallel agent execution for 5-7 hour tasks completed in ~1 hour wall time
  • Systematic documentation of all findings
  • Prioritization based on bug bounty program criteria
  • Reproducible steps with exact commands

Skill Invocation Patterns

When the user requests bug bounty work, route to appropriate workflow based on intent:

Starting New Target Reconnaissance

User says: "Start bug bounty recon on [target]" or "Begin reconnaissance for [target]"

Action:

  1. Read 
    targets/{target}.md
    for scope and context
  2. Identify required recon phases (passive, active, js-analysis, mobile)
  3. Propose spawning parallel agents for each phase
  4. Upon user approval, spawn agents via Task() tool
  5. Each agent executes appropriate workflow and outputs to target directory
  6. Synthesize findings into prioritized attack roadmap

Continuing Existing Work

User says: "Continue testing [target]" or "Resume [target] work"

Action:

  1. Read latest findings from 
    LEARNING/targets/{target}/
  2. Review attack roadmap or previous session notes
  3. Identify next priority testing phase
  4. Route to appropriate testing workflow

Specific Vulnerability Testing

User says: "Test GraphQL on [target]" or "Check for IDOR in [target] API"

Action:

  1. Load appropriate testing workflow (
    test-graphql.md
    , 
    test-rest-api.md
    , etc.)
  2. Read target context and discovered endpoints
  3. Guide through systematic testing checklist
  4. Document findings in target-specific location

New Target Setup

User says: "Add new target [name]" or "Set up [target] for bug bounty"

Action:

  1. Create new target file from 
    targets/template.md
  2. Guide user through scope definition
  3. Help capture authentication details
  4. Document program-specific criteria (payout ranges, exclusions)

Workflow Routing Logic

Reconnaissance Phase

  • Passive Recon

    workflows/recon-passive.md

    • Subdomain enumeration (crt.sh, subfinder, amass)
    • Technology fingerprinting (Wappalyzer, whatweb)
    • Source code intelligence (GitHub, JavaScript analysis)
    • Mobile app static analysis

  • Active Recon

    workflows/recon-active.md

    • Subdomain verification (httpx, dnsx)
    • Web application mapping (gospider, Burp Suite)
    • API endpoint discovery (fuzzing, JavaScript extraction)
    • GraphQL detection and introspection

  • JavaScript Analysis

    workflows/analyze-javascript.md

    • Bundle extraction and beautification
    • Endpoint discovery from JS
    • Secret scanning (API keys, tokens)
    • Client-side logic analysis

  • Mobile Analysis

    workflows/analyze-mobile.md

    • APK/IPA decompilation
    • String extraction and analysis
    • Hardcoded endpoint discovery
    • Mobile-specific API differences

Testing Phase

Route based on discovered technology stack and vulnerability category:

  • GraphQL endpoints
    workflows/test-graphql.md
  • XSS (Cross-Site Scripting)
    workflows/test-xss.md
  • REST APIs
    workflows/test-api.md
  • Authentication systems
    workflows/test-authentication.md
  • Payment/business logic
    workflows/test-business-logic.md
  • File uploads
    workflows/test-file-upload.md

Reporting Phase

  • Bug report creation
    workflows/report-findings.md

Parallel Execution Model

For reconnaissance phases (2-3 hours passive + 3-4 hours active = 5-7 hours linear):

Spawn 4 Parallel Agents:

// Agent 1: Passive Reconnaissance
Task({
  subagent_type: "general-purpose",
  description: "Passive recon for target",
  prompt: `Execute passive reconnaissance workflow for ${target}.

  Read and follow: .claude/skills/bug-bounty-methodology/workflows/recon-passive.md
  Target context: LEARNING/targets/${target}/${target}.md
  Output findings to: LEARNING/targets/${target}/recon/passive-results.md

  Document all discovered subdomains, technologies, and intelligence.`
})

// Agent 2: Active Enumeration (starts after passive completes or runs in parallel)
Task({
  subagent_type: "general-purpose",
  description: "Active recon for target",
  prompt: `Execute active reconnaissance workflow for ${target}.

  Read and follow: .claude/skills/bug-bounty-methodology/workflows/recon-active.md
  Target context: LEARNING/targets/${target}/${target}.md
  Output findings to: LEARNING/targets/${target}/recon/active-results.md

  Verify subdomains, map application, discover API endpoints.`
})

// Agent 3: JavaScript Analysis
Task({
  subagent_type: "general-purpose",
  description: "JavaScript analysis for target",
  prompt: `Execute JavaScript analysis workflow for ${target}.

  Read and follow: .claude/skills/bug-bounty-methodology/workflows/analyze-javascript.md
  Target context: LEARNING/targets/${target}/${target}.md
  Output findings to: LEARNING/targets/${target}/analysis/js-findings.md

  Extract and analyze all JavaScript bundles for endpoints and secrets.`
})

// Agent 4: Mobile App Analysis (if applicable)
Task({
  subagent_type: "general-purpose",
  description: "Mobile analysis for target",
  prompt: `Execute mobile app analysis workflow for ${target}.

  Read and follow: .claude/skills/bug-bounty-methodology/workflows/analyze-mobile.md
  Target context: LEARNING/targets/${target}/${target}.md
  Output findings to: LEARNING/targets/${target}/analysis/mobile-findings.md

  Analyze iOS and Android apps for endpoints and vulnerabilities.`
})

Wall-clock time: ~45-75 minutes (vs. 5-7 hours sequential)

Synthesis and Roadmap Generation

After parallel agents complete:

  1. Read all output files from target directory
  2. Cross-reference findings between passive, active, JS, and mobile analysis
  3. Identify technology stack (GraphQL vs REST, auth mechanisms, frameworks)
  4. Map discovered endpoints to vulnerability categories
  5. Prioritize testing targets based on:
    • Program payout ranges (Critical > High > Medium)
    • Likelihood of finding (IDOR in APIs = high likelihood)
    • Complexity vs. ROI (quick wins first)
  6. Generate attack roadmap with specific testing checklists
  7. Output to: 
    LEARNING/targets/{target}/ATTACK-ROADMAP.md

Target-Specific Intelligence

Each target has a profile in 

targets/{target}.md
containing:

  • Program Details: URL, platform (HackerOne, Bugcrowd), response times
  • Scope: In-scope assets, out-of-scope exclusions
  • Testing Requirements: Required headers (X-Bug-Bounty), account setup
  • Known Technology Stack: From previous recon or public knowledge
  • Priority Attack Surfaces: Based on program payouts and policy
  • Testing Accounts: Credentials for authenticated testing
  • Previous Findings: What's already been reported (avoid duplicates)

Tools Integration

Reference 

tools/reference.md
for quick command syntax:

  • Subdomain enumeration: subfinder, amass, assetfinder
  • Verification: httpx, dnsx, subjack
  • Web fuzzing: ffuf (see ffuf skill for advanced usage)
  • Crawling: gospider, Burp Suite
  • Mobile analysis: apktool, class-dump, Frida
  • Secret scanning: truffleHog, gitleaks

Output Structure

All findings documented in vault under 

LEARNING/targets/{target}/
:

LEARNING/targets/{target}/
├── {target}.md (target intelligence profile)
├── recon/
│   ├── passive-results.md
│   ├── active-results.md
│   └── subdomains.txt
├── analysis/
│   ├── js-findings.md
│   ├── mobile-findings.md
│   └── tech-stack.md
├── testing/
│   ├── graphql-tests.md
│   ├── idor-tests.md
│   └── auth-tests.md
├── findings/
│   └── [vulnerability-reports]/
└── ATTACK-ROADMAP.md (prioritized testing plan)

Context Management

For long reconnaissance sessions:

  1. Spawn parallel agents (as described above)
  2. Agents work independently and document findings
  3. Main agent synthesizes results
  4. If synthesis requires heavy context, use 
    /clear
    + read output files approach
  5. Never try to hold 5-7 hours of recon in single context window

Success Metrics

Reconnaissance complete when:

  • ✅ 50+ subdomains enumerated (if applicable)
  • ✅ Complete technology stack documented
  • ✅ 100+ API endpoints discovered
  • ✅ Attack surface mapped by vulnerability type
  • ✅ Top 10 high-value targets identified
  • ✅ Prioritized testing roadmap created

Testing complete when:

  • ✅ All Critical/High priority targets tested
  • ✅ At least one valid finding OR comprehensive testing documented
  • ✅ Findings properly reported to bug bounty program

Workflow Files Reference

  • workflows/recon-passive.md
    - Passive reconnaissance methodology
  • workflows/recon-active.md
    - Active enumeration methodology
  • workflows/analyze-javascript.md
    - JavaScript analysis workflow
  • workflows/analyze-mobile.md
    - Mobile app analysis workflow
  • workflows/test-graphql.md
    - GraphQL vulnerability testing
  • workflows/test-xss.md
    - Cross-site scripting testing
  • workflows/test-api.md
    - REST API security testing (IDOR, authorization)
  • workflows/test-authentication.md
    - Auth/authz bypass testing
  • workflows/test-business-logic.md
    - Payment and logic flaw testing
  • workflows/test-file-upload.md
    - Upload vulnerability testing
  • workflows/report-findings.md
    - Bug bounty report writing

Usage Examples

Example 1: Start new target

User: "Start bug bounty recon on DoorDash"

Chavvo loads bug-bounty-methodology skill
→ Reads targets/doordash.md
→ Proposes spawning 4 parallel recon agents
→ User approves
→ Agents execute workflows simultaneously
→ Synthesis generates ATTACK-ROADMAP.md
→ User reviews and chooses next phase

Example 2: Specific testing

User: "Test HubSpot GraphQL endpoint for IDOR"

Chavvo loads bug-bounty-methodology skill
→ Reads targets/hubspot.md
→ Loads workflows/test-graphql.md
→ Reads discovered GraphQL endpoints from recon
→ Guides through IDOR testing checklist
→ Documents findings in testing/graphql-tests.md

Example 3: Resume work

User: "Continue DoorDash testing"

Chavvo loads bug-bounty-methodology skill
→ Reads LEARNING/targets/doordash/ATTACK-ROADMAP.md
→ Reviews latest testing/ files
→ Identifies next priority item
→ Proposes specific testing workflow

When invoked, always:

  1. Understand user's intent (new recon, continue testing, specific vuln test)
  2. Read appropriate target context
  3. Route to correct workflow(s)
  4. Propose parallel execution for heavy recon tasks
  5. Document everything in target-specific structure
  6. Maintain target-agnostic methodology across all targets