bug-bounty

Solid

Bug bounty program management and security disclosure expertise for smart contracts. Covers program setup on Immunefi, vulnerability triage, responsible disclosure coordination, bounty payments, and post-disclosure analysis.

AI & Automation 1,160 stars 71 forks Updated today MIT

Install

View on GitHub

Quality Score: 96/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Bug Bounty/Security Disclosure Skill Expert management of bug bounty programs and responsible security disclosure for blockchain protocols. ## Capabilities - **Program Setup**: Configure bug bounty programs on Immunefi and other platforms - **Scope Definition**: Define assets, severity tiers, and exclusions - **Vulnerability Triage**: Assess and validate security reports - **Responsible Disclosure**: Coordinate disclosure timelines and communications - **Bounty Management**: Calculate and process bounty payments - **Post-Disclosure**: Conduct post-mortem analysis and lessons learned ## MCP/Tool Integration | Tool | Purpose | Reference | |------|---------|-----------| | **Trail of Bits Skills** | Security analysis, property testing | [building-secure-contracts](https://github.com/trailofbits/skills) | | **Slither MCP** | Static analysis for validation | [slither-mcp](https://github.com/trailofbits/slither-mcp) | | **Phalcon MCP** | Transaction analysis | [phalcon-mcp](https://github.com/mark3labs/phalcon-mcp) | ## Bug Bounty Program Setup ### Immunefi Program Structure ```yaml program: name: "Protocol Name" website: "https://protocol.xyz" assets: smart_contracts: - type: "Smart Contract" target: "0x..." severity: "Critical" websites: - type: "Web Application" target: "https://app.protocol.xyz" severity: "High" severity_levels: critical: range: "$100,000 - $1,000,000" description: "Direct t...

Details

Author
a5c-ai
Repository
a5c-ai/babysitter
Created
4 months ago
Last Updated
today
Language
JavaScript
License
MIT

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Listed

bounty-web

Use during the testing phase of a web application bug bounty. Provides OWASP-aligned attack catalog, payload sources, and tool ordering for SQLi, XSS, SSRF, SSTI, IDOR, auth, race conditions, file upload, deserialization. Triggers on "bounty web", "test this app", "web app testing", "h1 web target".

6 Updated yesterday
26zl
AI & Automation Solid

security-bounty-hunter

Hunt for exploitable, bounty-worthy security issues in repositories. Focuses on remotely reachable vulnerabilities that qualify for real reports instead of noisy local-only findings.

201,447 Updated yesterday
affaan-m
AI & Automation Listed

bb-local-toolkit

Complete bug bounty workflow — recon (subdomain enumeration, asset discovery, fingerprinting, HackerOne scope, source code audit), pre-hunt learning (disclosed reports, tech stack research, mind maps, threat modeling), vulnerability hunting (IDOR, SSRF, XSS, auth bypass, CSRF, race conditions, SQLi, XXE, file upload, business logic, GraphQL, HTTP smuggling, cache poisoning, OAuth, timing side-channels, OIDC, SSTI, subdomain takeover, cloud misconfig, ATO chains, agentic AI), LLM/AI security testing (chatbot IDOR, prompt injection, indirect injection, ASCII smuggling, exfil channels, RCE via code tools, system prompt extraction, ASI01-ASI10), A-to-B bug chaining (IDOR→auth bypass, SSRF→cloud metadata, XSS→ATO, open redirect→OAuth theft, S3→bundle→secret→OAuth), bypass tables (SSRF IP bypass, open redirect bypass, file upload bypass), language-specific grep (JS prototype pollution, Python pickle, PHP type juggling, Go template.HTML, Ruby YAML.load, Rust unwrap), and reporting (7-Question Gate, 4 validation gate

1,478 Updated 5 days ago
elementalsouls
AI & Automation Listed

bug-bounty

Complete bug bounty workflow — recon (subdomain enumeration, asset discovery, fingerprinting, HackerOne scope, source code audit), pre-hunt learning (disclosed reports, tech stack research, mind maps, threat modeling), vulnerability hunting (IDOR, SSRF, XSS, auth bypass, CSRF, race conditions, SQLi, XXE, file upload, business logic, GraphQL, HTTP smuggling, cache poisoning, OAuth, timing side-channels, OIDC, SSTI, subdomain takeover, cloud misconfig, ATO chains, agentic AI), LLM/AI security testing (chatbot IDOR, prompt injection, indirect injection, ASCII smuggling, exfil channels, RCE via code tools, system prompt extraction, ASI01-ASI10), A-to-B bug chaining (IDOR→auth bypass, SSRF→cloud metadata, XSS→ATO, open redirect→OAuth theft, S3→bundle→secret→OAuth), bypass tables (SSRF IP bypass, open redirect bypass, file upload bypass), language-specific grep (JS prototype pollution, Python pickle, PHP type juggling, Go template.HTML, Ruby YAML.load, Rust unwrap), and reporting (7-Question Gate, 4 validation gate

1,478 Updated 5 days ago
elementalsouls
AI & Automation Listed

bug-bounty

Complete bug bounty workflow — recon (subdomain enumeration, asset discovery, fingerprinting, HackerOne scope, source code audit), pre-hunt learning (disclosed reports, tech stack research, mind maps, threat modeling), vulnerability hunting (IDOR, SSRF, XSS, auth bypass, CSRF, race conditions, SQLi, XXE, file upload, business logic, GraphQL, HTTP smuggling, cache poisoning, OAuth, timing side-channels, OIDC, SSTI, subdomain takeover, cloud misconfig, ATO chains, agentic AI), LLM/AI security testing (chatbot IDOR, prompt injection, indirect injection, ASCII smuggling, exfil channels, RCE via code tools, system prompt extraction, ASI01-ASI10), A-to-B bug chaining (IDOR→auth bypass, SSRF→cloud metadata, XSS→ATO, open redirect→OAuth theft, S3→bundle→secret→OAuth), bypass tables (SSRF IP bypass, open redirect bypass, file upload bypass), language-specific grep (JS prototype pollution, Python pickle, PHP type juggling, Go template.HTML, Ruby YAML.load, Rust unwrap), and reporting (7-Question Gate, 4 validation gate

0 Updated today
Mikacr1138