bb-methodology
The bb-methodology skill orchestrates bug bounty hunting sessions by combining a five-phase non-linear workflow with critical thinking frameworks covering developer psychology and anomaly detection. Use it at the start of hunting sessions, when switching targets, when feeling directionally lost, or when deciding what to do next. It first confirms engagement type (bug bounty vs. red team vs. pentest vs. audit) to calibrate what counts as a valid finding, then guides hunters through mindset discipline and phase-specific routing.
git clone --depth 1 https://github.com/elementalsouls/Claude-BugHunter /tmp/bb-methodology && cp -r /tmp/bb-methodology/skills/bb-methodology ~/.claude/skills/bb-methodologySKILL.md
# Bug Bounty Methodology: Workflow + Mindset Master orchestrator for hunting sessions. Combines the 5-phase non-linear workflow with the critical thinking framework that separates top 1% hunters from the rest. --- ## PART 0: MODE CONFIRMATION (Before Anything Else) **Confirm the engagement type before deciding what counts as a finding.** The same target produces a different report shape depending on which mode applies. Getting this wrong is the single biggest waste of time in this workflow — answer it explicitly before Phase 0. | Engagement type | What counts as a finding | What gets rejected | |---|---|---| | **Bug bounty** (H1 / Bugcrowd / Intigriti / private VDP) | Impact-demonstrated bugs ONLY. Full chain to attacker-attainable harm. | Hygiene (EoL software alone, permissive CSP alone, stack traces, info disclosure without concrete impact, "best practice" violations) | | **Red team** (external client engagement) | Hygiene findings + recon + IoCs + defensive-state observations are ALL deliverables | Nothing — even "no finding here" is reportable as a positive defensive observation | | **Pentest** (signed SoW / WAPT) | Depends on SoW. Read scope explicitly. Usually accepts hygiene + impact + recon | Out-of-scope assets, unsigned testing | | **Internal audit** | Compliance-mapped findings (PCI / ISO / NIST / DPDPA / GDPR) | Findings without a control-mapping | **Hard rule:** Before Phase 0 runs, write the engagement type as the first line in your hunt notes. If you can't answer it from the user's instruction, ASK once. Don't assume — the mistake costs both you and the triager. **Lesson from an authorized engagement:** First-pass on this target produced 5 hygiene findings (SP2013 EoL, permissive CSP, stack traces) shipped in red-team format. The engagement was bug-bounty. Findings would have been N/A'd as "informational, no impact demonstrated." After the corrected pass with hygiene-as-context-not-finding, the same target yielded 11 impact-demonstrated bugs including 3 Critical. --- ## PART 1: MINDSET (How to Think) ### Core Principle Hunting is not "find a bug" -- it is "prove an attack scenario." Think like an attacker with a specific goal, not a scanner looking for patterns. ### Daily Discipline: Define, Select, Execute Before touching any tool: 1. **Define**: "Today I target [feature/domain] to achieve [CIA impact]" 2. **Select**: Choose 1-2 vuln classes (IDOR, Race Condition, etc.) 3. **Execute**: Focus ONLY on selected techniques. No wandering. ### 5 Ultimate Goals (Pick One Per Session) 1. **Confidentiality** -- steal data the attacker shouldn't see 2. **Integrity** -- modify data the attacker shouldn't change 3. **Availability** -- disrupt service (app-level DoS only) 4. **Account Takeover** -- control another user's account 5. **RCE** -- execute commands on the server ### 4 Thinking Domains #### 1. Critical Thinking (deep analysis) **Question trust boundaries:** - Frontend control disabled? Send request directly via proxy - `user_role=user` cookie? Change to `admin` - `price=1000` in POST? Change to `1` - `<script>` blocked? Try `<img onerror=...>` **Reverse-engineer developer psychology:** - Feature A has auth checks -> Similar feature B (newly added) probably doesn't - Complex flows (coupon + points + refund) -> Edge cases have bugs - `/api/v2/user` exists -> Does `/api/v1/user` still work with weaker auth? **What-If experiments:** - Skip checkout -> hit `/checkout/success` directly - Skip 2FA -> navigate to `/dashboard` - Send coupon request 10x simultaneously -> Race condition? - Replace `guid=f8a2...` with `id=100` on sibling endpoint -> IDOR? #### 2. Multi-Perspective (multiple angles) | Perspective | What to check | |------------|---------------| | Horizontal (same role) | User A's token + User B's ID -> IDOR | | Vertical (different role) | Regular user -> `/admin/deleteUser` | | Data flow (proxy view) | Hidden params in JSON: `debug=false`, `discount_rate` | | Time/State | Race conditions, post-delete session reuse | | Client environment | Mobile UA -> legacy API with weaker auth | | Business impact | "What's the $ damage if this breaks?" | #### 3. Tactical Thinking (pattern detection) - **Naming anomaly**: `userId` everywhere but suddenly `user_id` -> different dev, weaker security - **Error diff**: Same 403 but different JSON structure -> different backend systems - **Environment diff**: Prod vs Dev/Staging -> debug headers, CSP disabled - **Version diff**: JS file before/after update -> new endpoints, removed params - **Supply chain**: Check framework/library versions for known CVEs - **Third-party integration**: Stripe/Auth0/Intercom -> webhook signature missing? #### 4. Strategic Thinking (big picture) - **Asymmetry**: Defender must patch ALL holes. You only need ONE. - **Intuition engineering**: Log why something "feels wrong." Verify later. Update mental DB. - **Unknown management**: Can't understand something? Add to "investigate later" list. Just-in-Time Learning. ### Amateur vs Pro: 7-Phase Comparison | Phase | Amateur | Pro | |-------|---------|-----| | Recon | Main domain only | Shadow IT, dev environments, all assets | | Discovery | Look for errors | Look for design contradictions, business logic flaws | | Exploit | Give up when blocked | Build filter-bypass payloads | | Escalation | Report the phenomenon only | Chain to real harm (session steal, ATO) | | Feasibility | Include unrealistic conditions | Minimize attack prerequisites | | Reporting | State facts only | Quantify business risk | | Retest | Check if old PoC fails | Analyze fix method, find incomplete patches | ### Two Approach Routes - **Route A (Feature-based)**: "This feature is complex" -> deep-dive its input handling -> find vuln - **Route B (Vuln-based)**: "I want IDOR" -> find endpoints with sequential IDs -> test access control ### Anti-Patterns (Stop Doing These) - **Program hopping**: Stick with one target minimum 2 weeks / 30 hours - **Tool-only hunting**
Run autonomous hunt loop on a target — scope check → recon → rank surface → hunt → validate → report with configurable checkpoints. Usage: /autopilot target.com [--paranoid|--normal|--yolo]
Build an exploit chain — given bug A, finds B and C to combine for higher severity and payout. Knows common chain patterns: IDOR→ATO, SSRF→cloud metadata, XSS→ATO, open redirect→OAuth theft, S3→bundle→secret→OAuth. Usage: /chain
Active vulnerability hunting. Two-track dispatcher — asks Red Team vs WAPT, hands off to hunt-dispatch skill and sibling commands. Usage: /hunt target.com | /hunt *.target.com | /hunt targets.txt [--vuln-class X] [--source-code P] [--chrome]
On-demand intelligence fetch for a target — CVEs, disclosed reports, new features. Wraps learn.py + hunt memory context. Usage: /intel target.com
Inspect or rotate hunt-memory JSONL files (audit.jsonl, patterns.jsonl, journal.jsonl). Caps file size and keeps N rotated backups so memory does not grow unbounded.
Pick up a previous hunt on a target — shows hunt history, untested endpoints, and memory-informed suggestions. Usage: /pickup target.com
Run full recon pipeline on a target — subdomain enum (Chaos API + subfinder), live host discovery (dnsx + httpx), URL crawl (katana + waybackurls + gau), gf pattern classification, nuclei scan. Outputs to recon/<target>/ directory. Usage: /recon target.com
Log current finding or successful pattern to hunt memory. Auto-fills from /validate output if available. Usage: /remember