Standard bug bounty workflow for web and API targets across JavaScript and TypeScript, Python, Ruby, PHP, Java, Go, and .NET frameworks. Use when reviewing routes, controllers, auth layers, admin panels, background jobs, webhooks, or multi-tenant application logic.
How this skill is triggered — by the user, by Claude, or both
Slash command
/bounty-hunting-programs:bounty-program-webThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Use this workflow for monoliths, APIs, admin portals, and service backends.
Use this workflow for monoliths, APIs, admin portals, and service backends.
Load these references on demand:
../../references/bounty-standard.md../../references/codex-ready-building-blocks.md../../references/web-framework-matrix.md../../references/report-checklist.md.burp project, API collection, or captured request corpusweb-framework-matrix.md.audit-context-building for deep route and trust-boundary comprehensionsharp-edges for language and framework risk patternsinsecure-defaults for debug, auth, CORS, storage, or deployment defaultssupply-chain-risk-auditor for dependency exposureburpsuite-project-parser if a Burp project is already availablecaido when authenticated request replay or traffic-corpus mining will be faster than rebuilding requests manuallyagentic-actions-auditor when CI, GitHub Actions, or agent-driven release flows touch the targetprep/caido-plan.md if the target came from bounty-target-bootstraphealth, auth-status, projects, and recent to verify corpus readinesssearch to find authenticated seed requests, then edit and replay for boundary hypothesesexport-evidence --out <finding>/artifacts/caidoprep/asset-inventory.mdmedium+ issue, use variant-analysis to search for siblings.semgrep-rule-creator and generalize it with semgrep-rule-variant-creator.edit over hand-rebuilding cookies, CSRF tokens, and auth headers.kage for recon and breadth. Use caido for authenticated mutation, replay-heavy flows, and quick curl PoCs.TRUE POSITIVE, compare it against scope/target.json, scope/in-scope.md, scope/rules.md, and prep/severity-conditions.md.medium+ finding exists or an exact scope or environment blocker is recorded.export-curl output paths, and export-evidence directories in the local finding bundle.sync-finding only for operator visibility. Local finding bundles remain authoritative for reverify and report submission.npx claudepluginhub daothinh/spec-cdex --plugin bounty-hunting-programsCreates structured, bite-sized implementation plans from specs or requirements before writing code. Useful for breaking down multi-step tasks into testable steps with file structure and task boundaries.