From bug-bounty-report-submitter
Draft and send evidence-backed bug bounty report emails through a live webmail UI with Playwright MCP, using the user-specified recipient and verified proof.
How this skill is triggered — by the user, by Claude, or both
Slash command
/bug-bounty-report-submitter:bug-bounty-email-submitterThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Draft the report bundle first, then open the sender mailbox in a browser and send from the live webmail UI with Playwright MCP.
Draft the report bundle first, then open the sender mailbox in a browser and send from the live webmail UI with Playwright MCP.
Load these on demand:
plugins/bounty-hunting-programs/skills/bounty-program-triage/SKILL.md if target scope or disclosure constraints are still unclearOptional helper:
python plugins/bug-bounty-report-submitter/skills/bug-bounty-report-submitter/scripts/prepare_web3_report_bundle.py --finding-dir <finding-dir> --bundle-dir <bundle-dir>python plugins/bug-bounty-report-submitter/skills/bug-bounty-report-submitter/scripts/prepare_report_artifacts.py --finding-dir <finding-dir> --bundle-dir <bundle-dir>python plugins/bug-bounty-report-submitter/skills/bug-bounty-report-submitter/scripts/record_asciinema_replay.py --finding-dir <finding-dir> --workdir <target-dir> --run-command "<cmd>" --success-signal "<signal>"python plugins/bug-bounty-report-submitter/skills/bug-bounty-report-submitter/scripts/prepare_external_proof_pack.py --bundle-dir <bundle-dir> --run-command "<cmd>" --success-signal "<signal>" --publish-gistpython plugins/bug-bounty-report-submitter/skills/bug-bounty-report-submitter/scripts/validate_submission_bundle.py --bundle-dir <bundle-dir> --channel emailTRUE POSITIVE from security-finding-reverify before any email disclosure work begins.severity.md in the finding bundle. Use it as the source of truth for severity labels, CWE, CVSS when applicable, affected asset, preconditions, impact reasoning, and downgrade notes.preverify.md and preverify-gate.json, block AI slop, require a standalone PoC code file, require decisive output logs, and reject any replay path that still depends on source-tree /test.asciinema after the draft is stable. Native PATH is preferred. WSL is only fallback. If both checks fail, stop immediately.If any precondition is missing, gather it before email work starts.
Create bug-bounty-reports/<slug>/<finding-id>/ and keep:
facts.md - raw verified facts onlyfacts-chain.md - optional chain, market, tx, block, and contract identifiers for web3 or exchange findingsimpact.md - observed impact and reasoned extension kept separateimpact-financials.md - optional asset delta, attack capital, and solvency or settlement impact for web3 or exchange findingsseverity.md - severity level, CWE, CVSS when applicable, affected asset, preconditions, impact reasoning, and downgrade notespreverify.md - automatic pre-submit gate summary with independent clearance reasoning or blockerspreverify-gate.json - machine-readable pre-submit gate verdict, AI-slop result, standalone PoC path, and decisive log pathenvironment.md - optional fork, staging, testnet, or static-only replay assumptionsartifacts.json - evidence inventory with stable IDs and file pathspoc.md - replayable exploit or reproduction detailsreport-appendix.md - optional markdown appendix used only when the email program explicitly requires an attachment or the provider makes the full detail body impossible inlinereverify.md - independent re-verification verdict and blockers already checkedexternal-evidence.json - required secret-gist pointer for the detailed PoC, helper files, and raw logsevidence/asciinema/asciinema-session.json - mandatory replay-recording metadata with the uploaded asciinema URLevidence/asciinema/reverify-session.cast - mandatory local terminal replay recordingmail-ui-schema.json - live compose controls, attachment flow, and send confirmation signalsmail-envelope.json - to, optional cc and bcc, subject, and attachment planmail-envelope.json.external_proof - required proof-reference contract when external-evidence.json existsemail-draft.md - final subject and body draftweb3-facts.json - optional normalized chain-aware facts for web3-heavy findingsasset-delta.md - optional observed fund movement or market-state change summaryreproduction-matrix.md - optional prerequisite and replay matrix for web3-heavy findingsproof-pack/ - gist-ready runnable PoC pack whose two mandatory anchors are the standalone PoC code file and the decisive output-log fileconfirmation.md - sent time, recipient, provider confirmation, screenshot path, follow-up notesevidence/ - screenshots, HAR, asciinema .cast, video, logs, payloads, PoC filesmail-ui-schema.json.facts.md, copy impact reasoning into impact.md, carry severity/CWE/CVSS from severity.md, inventory every artifact in artifacts.json, store the replayable exploit path in poc.md, and carry the independent verdict into reverify.md.
asciinema terminal recordings, preserve the .cast files as first-class evidence entries. They stay supplemental; the email body still needs inline replay steps and decisive PoC output.artifacts/poc/ and decisive output logs belong under artifacts/logs/. If the saved replay still points at source-tree /test, stop and fix the finding before drafting.facts-chain.md, impact-financials.md, environment.md, web3-facts.json, asset-delta.md, and reproduction-matrix.md instead of flattening everything into one prose blob.
prepare_web3_report_bundle.py to materialize web3-facts.json, asset-delta.md, and reproduction-matrix.md before drafting the email body.preverify-gate.json says status: passed, ai_slop_detected: false, and points to both a standalone PoC code file plus decisive output logs.mail-envelope.json from the verified recipient, severity.md, and the discovered mailbox behavior. Do not invent cc, bcc, reply-to, or tracking settings.
external-evidence.json exists, add mail-envelope.json.external_proof with:
requiredtypeurlsource: "external-evidence.json"target_fieldinline_note_requiredemail-draft.md from facts.md, poc.md, impact.md, reverify.md, severity.md, preverify.md, and preverify-gate.json using references/email-report-structure.md, the shared Immunefi-style body template, and the shared report-writing rules. Build the subject from target, exact vuln type, location, and max observed impact.record_asciinema_replay.py for the final clean standalone rerun, then run prepare_report_artifacts.py so the email proof does not depend on source tool state.Output from POC, and exploit excerpt even in plain text. The final tone should feel careful, serious, and reviewer-friendly rather than automated or promotional. Do not proceed if the finding is still reverify-pending, needs-more-evidence, false-positive, or preverify-blocked.report-appendix.md and build proof-pack/ with the shared external-proof-pack workflow for every disclosure bundle. A secret gist link is mandatory because it carries the detailed PoC, helper files, the full report, and raw logs. The proof pack must include the standalone PoC code file and the decisive output-log file. The final clean replay must also have an uploaded asciinema URL. The email body must place PoC and logs: [gist-url](gist-url) and PoC runtime: [asciinema-url](asciinema-url) in that order, with the asciinema line on the next non-empty line starting in the opening summary or intro paragraph.validate_submission_bundle.py --bundle-dir <bundle-dir> --channel email after bundle prep and again immediately before send. Treat any failure as a hard blocker.To field to the user-specified address, fill the subject and body from mail-envelope.json and email-draft.md, and save a draft when the provider supports it. Do not attach files by default. If an attachment is genuinely required, prefer report-appendix.md instead of raw source files.confirmation.md.report-writing-rules.md: [Target] - [Vulnerability Type] at [Location] leads to [Impact].severity.md for any severity tag, CWE, or CVSS value. Recalculate only when the recipient explicitly requires a different format.IDOR, RCE, Reentrancy, SSRF, not vague wording.[CRITICAL] or [HIGH] only when it is evidence-backed and useful to the program.Brief/Intro -> Vulnerability Details -> The Vulnerable Function or Affected Endpoint -> Why The Check Fails -> Attack Vector Explained -> Impact Details -> Output from POC -> Proof of Concept.asciinema .cast, video, replay script, or poc.md.reverify.md constrain the claim. Report what survived independent review, not the hunter's most aggressive wording.Output from POC in the body before attaching or pasting the full PoC.report-appendix.md or another markdown/plain-text appendix that restates the full detail body instead of relying on a raw code file.could potentially, may allow, or similar hedging for the main claim.Critical Bug Found!!! or I hacked your database.mail-envelope.json and email-draft.md.browser_snapshot before login, after login, after compose opens, and before sending.browser_fill_form for standard input fields and browser_type for rich-text editors or chip-based address boxes.artifacts.json, mail-envelope.json, and local evidence paths are final.Return:
mail-ui-schema.json and mail-envelope.json pathsnpx claudepluginhub daothinh/spec-cdex --plugin bug-bounty-report-submitterGuides completion of development work by verifying tests, detecting environment, and presenting structured options for merge, PR, or cleanup.
Guides creation and editing of skills using test-driven development with pressure scenarios and subagents to verify agent compliance.
Dispatches multiple subagents concurrently for independent tasks without shared state. Use when facing 2+ unrelated failures or subsystems that can be investigated in parallel.