1. Skill Overview
2. Core Capabilities
2.1 High-Impact Vulnerability Pattern Library
| Vulnerability Type | CWE ID | Typical Business Impact |
|---|---|---|
| SSRF via user-controlled URL input | CWE-918 | Internal network reconnaissance, cloud metadata credential theft |
| Authentication bypass in middleware / API guard logic | CWE-287 | Unauthorized access to user accounts and sensitive data |
| Remote code execution via deserialization or unvalidated file uploads | CWE-502 | Arbitrary server-side code execution |
| SQL injection exposed on public reachable endpoints | CWE-89 | Mass data exfiltration, auth bypass, persistent data corruption |
| Command injection within request handler logic | CWE-78 | Remote arbitrary code execution |
| Path traversal in file-serving endpoints | CWE-22 | Read/write access to arbitrary server-side files |
| Auto-triggerable self-contained XSS | CWE-79 | Session hijacking, full admin account takeover |
2.2 Low-Signal / Out-of-Scope Pattern Exclusions
- Local-only
pickle.loads,torch.load, or equivalent deserialization with no remote reachable entrypoint - Raw
eval()/exec()calls restricted exclusively to internal CLI tooling - Hardcoded static shell commands using
shell=Truewith zero user-controlled input - Missing security headers only (CSP, HSTS, X-Frame-Options) with no secondary exploit chain
- Generic rate-limiting deficiencies with no viable exploitation impact
- Self-XSS requiring manual victim copy-paste interaction
- CI/CD pipeline injection flaws isolated outside the customer-facing application attack surface
- Demo, sample, or test-only code paths
2.3 Standard Vulnerability Discovery Workflow
- Validate bounty scope: Review program rules,
SECURITY.md, disclosure policies, and explicit exclusion lists - Locate real external entrypoints: HTTP route handlers, file upload endpoints, background job runners, webhooks, data parsers, third-party integration APIs
- Run static analysis triage scan:
semgrep --config=auto --severity=ERROR --severity=WARNING --json
- Exclude test fixtures, demo code, vendor dependency code
- Discard local-only non-network reachable paths
- Retain only findings with clear external network / user-controlled input attack surfaces
2.4 Standard Vulnerability Report Template
## Description
[Explain the flaw and its critical business impact]
## Vulnerable Source Code
[Full file path, line range, concise relevant code snippet]
## Proof of Concept
[Minimal reproducible HTTP request or standalone exploit script]
## Impact
[Full breakdown of actions an unauthenticated/malicious attacker can perform]
## Affected Versions
[Tested release version, target commit hash, or live deployment environment]
- Vulnerable code path is reachable from an external user / network boundary
- Critical input variables are fully controllable by untrusted external actors
- The downstream sink function enables meaningful security impact
- The attached PoC reproduces the flaw reliably end-to-end
- The defect has no matching public advisory, CVE, or tracked open issue
- The target component falls within the official bounty program scope
3. Primary Use Cases
- Bug bounty hunting on platforms including Huntr, HackerOne — Identify valid high-severity vulnerabilities eligible for monetary reward
- Formal security report drafting — Generate complete standardized audit artifacts with reproducible PoC and impact breakdown for bounty review teams
- Exploitability triage — Separate theoretical low-risk code smells from practically exploitable remote vulnerabilities to avoid wasted research effort
- Source code security audit — Combine static scanning and manual end-to-end path tracing to systematically map externally reachable critical flaws
- Pre-research scope validation — Confirm target eligibility against bounty program rules before deep dive research
4. Critical Guiding Principles
- Prioritize remotely reachable attack surfaces over local-only or purely theoretical risks
- Complete scope validation as the first step: Review program rules,
SECURITY.md, and documented exclusion lists - Static analysis tools are only for initial filtering; they cannot replace full manual end-to-end code path inspection
- Functional, minimal PoC proof is mandatory to confirm real exploitability
- Duplicate check before drafting reports: Confirm no matching public advisories or CVEs exist
- Automatically discard low-signal noise patterns: local deserialization, CLI-only eval, missing security headers, and other non-exploitable minor weaknesses