Security Bounty Hunter Skill

100 0 Updated: 2026-07-15 15:00:16

The Security Bounty Hunter skill is a specialized security skill within the ECC (Agent Harness Performance Optimization System), designed for security researchers and bounty hunters. It integrates multiple security testing tools and methodologies to help users efficiently discover vulnerabilities in web applications, APIs, mobile apps, and more. Core features include automated vulnerability scanning, intelligent payload generation, target reconnaissance and information gathering, and vulnerability report template generation. By leveraging advanced AI reasoning capabilities, this skill simulates attacker thinking, providing precise vulnerability verification steps and remediation suggestions. Suitable for penetration testing, bug bounty programs, security audits, and more, significantly improving security research efficiency.

Install
bunx skills add https://github.com/affaan-m/ECC --skill security-bounty-hunter
Skill Details readonly

I. Skill Overview
This skill is designed for practical vulnerability discovery and bounty submission preparation, rather than broad best‑practice reviews. Its core objective is to answer “Can this vulnerability actually earn a bounty?” rather than “Is this theoretically insecure?”.

The skill favours remotely reachable, user‑controlled attack paths, while excluding patterns that platforms frequently reject due to insufficient information or out‑of‑scope status.

II. Core Functions
1. High‑Risk Vulnerability Pattern Identification
The skill focuses on the following consistently high‑risk vulnerability types:

Vulnerability Type CWE Typical Impact
SSRF via user‑controlled URL CWE‑918 Internal network access, cloud metadata theft
Authentication bypass in middleware or APIs CWE‑287 Unauthorised account or data access
RCE via remote deserialisation or upload CWE‑502 Code execution
SQL injection in reachable endpoints CWE‑89 Data leakage, authentication bypass, data corruption
Command injection in request handlers CWE‑78 Code execution
Path traversal in file‑serving paths CWE‑22 Arbitrary file read or write
Automatically triggered XSS CWE‑79 Session theft, admin account takeover

2. Low‑Signal / Out‑of‑Scope Pattern Exclusion
Unless otherwise specified by the bug bounty programme, the following patterns are generally considered low‑signal or out‑of‑scope:

  • Local pickle.loadstorch.load, or equivalents without a remote path

  • eval() or exec() in CLI tools

  • shell=True with fully hard‑coded commands

  • Missing security headers only (e.g. CSP, HSTS)

  • General rate‑limiting issues without exploitation impact

  • Self‑XSS requiring the victim to manually paste code

  • CI/CD injections outside the target programme’s scope

  • Code specifically for demos, examples, or tests

3. Vulnerability Discovery Workflow
The skill provides a systematic vulnerability discovery process:

  1. Confirm scope: Check programme rules, SECURITY.md, disclosure channels, and exclusions.

  2. Look for real entry points: HTTP handlers, file uploads, background tasks, webhooks, parsers, integration endpoints.

  3. Run static tooling: Execute semgrep --config=auto --severity=ERROR --severity=WARNING --json, but only as a preliminary screening input.

  4. Read actual code paths end‑to‑end: Do not rely solely on static results.

  5. Prove that user control reaches a meaningful sink.

  6. Validate exploitability and impact with a minimal viable PoC.

  7. Check for duplicates before reporting: Confirm that the issue is not already covered by an advisory, CVE, or public ticket.

  8. Manual filtering: Exclude test, demo, fixture, and vendor code; exclude local or unreachable paths; retain only findings with clear network or user‑controlled paths.

4. Report Structure Template
The skill provides a standard vulnerability report structure:

markdown
## Description
[What the vulnerability is and why it matters]

## Vulnerable Code
[File path, line range, and small snippet]

## Proof of Concept
[Minimal viable request or script]

## Impact
[What an attacker can achieve]

## Affected Versions
[Versions, commits, or deployment targets tested]

Pre‑submission checklist:

  • Code path is reachable from a real user or network boundary

  • Input is genuinely user‑controllable

  • Sink is meaningful and exploitable

  • PoC works

  • Issue is not covered by an advisory, CVE, or public ticket

  • Target is within the actual scope of the bug bounty programme

III. Primary Use Cases

  • Bug bounty hunting – find submittable, high‑quality security vulnerabilities on platforms such as Huntr, HackerOne, etc.

  • Security report preparation – write complete reports with PoC and impact analysis following a standard structure

  • Vulnerability exploitability assessment – distinguish theoretical risks from practically exploitable vulnerabilities, avoiding time wasted on low‑signal issues

  • Code security auditing – combine static tooling with manual code‑path analysis to systematically identify remotely reachable vulnerabilities

  • Vulnerability scope confirmation – verify that the target is within the bounty programme’s scope before investing time

IV. Important Principles

  • Focus on remote reachability – prioritise over local‑only findings and theoretical risks

  • Confirm scope first – check programme rules, SECURITY.md, and exclusions

  • Static tools are filters only – they do not replace end‑to‑end code‑path reading

  • PoC must work – validate exploitation with a minimal viable approach

  • Check for duplicates before reporting – ensure not already covered by existing advisories or CVEs

  • Exclude noise patterns – automatically filter out low‑signal issues such as local deserialisation, CLI eval, and missing security headers only

V. Summary
Security Bounty Hunter is a practical security skill focused on bug bounty hunting. It systematically discovers submittable, valid vulnerabilities by concentrating on remotely reachable, user‑controlled high‑risk patterns (SSRF, authentication bypass, RCE, SQLi, command injection, path traversal, XSS), combined with static tool filtering and end‑to‑end code‑path analysis. It provides a standard report template and a pre‑submission checklist, while explicitly excluding low‑signal patterns (local deserialisation, CLI eval, missing security headers only, etc.), helping security researchers efficiently prepare bug bounty submissions. This skill is applicable to bug bounty hunting, security report writing, and code security auditing.