From bug-bounty-report-submitter
Inspect live bug bounty forms with Playwright MCP, then draft and submit evidence-backed reports that match the platform fields, proof requirements, and attachment flow.
How this skill is triggered — by the user, by Claude, or both
Slash command
/bug-bounty-report-submitter:bug-bounty-report-submitterThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Inspect the live submission form first, then turn independently re-verified findings into an evidence-backed report bundle and submit it through Playwright MCP.
references/asciinema-proof.mdreferences/external-proof-pack.mdreferences/immunefi-body-template.mdreferences/playwright-submit.mdreferences/report-structure.mdreferences/report-writing-rules.mdreferences/writing-style.mdscripts/prepare_external_proof_pack.pyscripts/prepare_report_artifacts.pyscripts/prepare_web3_report_bundle.pyscripts/record_asciinema_replay.pyscripts/validate_submission_bundle.pyInspect the live submission form first, then turn independently re-verified findings into an evidence-backed report bundle and submit it through Playwright MCP.
Load these on demand:
plugins/bounty-hunting-programs/skills/bounty-program-triage/SKILL.md if target scope or program constraints are still unclearOptional helper:
python plugins/bug-bounty-report-submitter/skills/bug-bounty-report-submitter/scripts/prepare_web3_report_bundle.py --finding-dir <finding-dir> --bundle-dir <bundle-dir>python plugins/bug-bounty-report-submitter/skills/bug-bounty-report-submitter/scripts/prepare_report_artifacts.py --finding-dir <finding-dir> --bundle-dir <bundle-dir>python plugins/bug-bounty-report-submitter/skills/bug-bounty-report-submitter/scripts/record_asciinema_replay.py --finding-dir <finding-dir> --workdir <target-dir> --run-command "<cmd>" --success-signal "<signal>"python plugins/bug-bounty-report-submitter/skills/bug-bounty-report-submitter/scripts/prepare_external_proof_pack.py --bundle-dir <bundle-dir> --run-command "<cmd>" --success-signal "<signal>" --publish-gistpython plugins/bug-bounty-report-submitter/skills/bug-bounty-report-submitter/scripts/validate_submission_bundle.py --bundle-dir <bundle-dir> --channel formTRUE POSITIVE from security-finding-reverify before any submission work begins.severity.md in the finding bundle. Use it as the source of truth for Severity, CWE, CVSS, affected asset, exploit preconditions, impact reasoning, and downgrade notes.asciinema. Native PATH is preferred. WSL is only fallback. If both checks fail, stop immediately.preverify.md and preverify-gate.json, block AI slop, require a standalone PoC code file, require decisive output logs, and reject any replay path that still depends on source-tree /test.If any precondition is missing, gather it before submission work starts.
Create bug-bounty-reports/<slug>/<finding-id>/ and keep:
facts.md - raw, verified facts onlyfacts-chain.md - optional chain, market, tx, block, and contract identifiers for web3 or exchange findingsimpact.md - observed impact and reasoned extension kept separateimpact-financials.md - optional asset delta, attack capital, and solvency or settlement impact for web3 or exchange findingsseverity.md - severity level, CWE, CVSS when applicable, affected asset, preconditions, impact reasoning, and downgrade notespreverify.md - automatic pre-submit gate summary with independent clearance reasoning or blockerspreverify-gate.json - machine-readable pre-submit gate verdict, AI-slop result, standalone PoC path, and decisive log pathenvironment.md - optional fork, staging, testnet, or static-only replay assumptionsform-schema.json - live form fields, options, limits, and notesartifacts.json - evidence inventory with stable IDs and file pathspoc.md - replayable exploit or reproduction detailsreport-appendix.md - optional markdown appendix used only when the platform requires an attachment or the field limits cannot honestly hold the full detail bodyreverify.md - independent re-verification verdict and blockers already checkedreport.md - final prose draftsubmission.json - field-to-value map for the formsubmission.json.external_proof - required proof-reference contract when external-evidence.json existsexternal-evidence.json - required secret-gist pointer for the detailed PoC, helper files, and raw logsevidence/asciinema/asciinema-session.json - mandatory replay-recording metadata with the uploaded asciinema URLevidence/asciinema/reverify-session.cast - mandatory local terminal replay recordingweb3-facts.json - optional normalized chain-aware facts for web3-heavy findingsasset-delta.md - optional observed fund movement or market-state change summaryreproduction-matrix.md - optional prerequisite and replay matrix for web3-heavy findingsproof-pack/ - gist-ready runnable PoC pack whose two mandatory anchors are the standalone PoC code file and the decisive output-log fileevidence/poc/ - copied standalone PoC code and helper filesevidence/logs/ - copied decisive output logsevidence/ - screenshots, HAR, asciinema .cast, video, logs, payloads, PoC filesconfirmation.md - final URL, report ID, screenshots, follow-up notesform-schema.json.facts.md, copy impact reasoning into impact.md, carry severity/CWE/CVSS from severity.md, inventory every artifact in artifacts.json, store the replayable exploit path in poc.md, and carry the independent verdict into reverify.md.
facts-chain.md, impact-financials.md, environment.md, web3-facts.json, asset-delta.md, and reproduction-matrix.md instead of flattening everything into one prose blob.prepare_web3_report_bundle.py to materialize web3-facts.json, asset-delta.md, and reproduction-matrix.md before long-form drafting.artifacts/poc/ and decisive output logs belong under artifacts/logs/. If the saved replay still points at source-tree /test, stop and fix the finding before drafting.asciinema terminal recordings, preserve the .cast files as first-class evidence entries. They stay supplemental; the body still needs inline replay steps and decisive PoC output.poc.md as incomplete until it includes an exact run command or deterministic replay sequence plus a success signal that can be observed again.preverify-gate.json says status: passed, ai_slop_detected: false, and points to both a standalone PoC code file plus decisive output logs.report.md from facts.md, poc.md, impact.md, reverify.md, severity.md, preverify.md, and preverify-gate.json using references/immunefi-body-template.md, references/report-structure.md, and references/report-writing-rules.md. Use the local scaffold only to preserve content order. Rewrite or collapse generic headings before anything reaches the live form so the submitted text reads like a target-specific analyst note, not a reusable skeleton.record_asciinema_replay.py for the final clean standalone rerun, then run prepare_report_artifacts.py so artifacts.json, evidence/, evidence/poc/, evidence/logs/, and evidence/asciinema/ exist and local proof does not depend on source tool state. If artifacts/caido/ exists in the finding bundle, preserve those request metadata files, curl PoCs, and response snapshots as first-class evidence entries.submission.json from form-schema.json, not from a fixed template. Include custom site fields exactly as discovered and precompute title, summary, severity, CVSS, and field-specific short variants from verified facts and severity.md only.
external-evidence.json exists, add submission.json.external_proof with:
requiredtypeurlsource: "external-evidence.json"target_fieldinline_note_requiredreverify-pending, needs-more-evidence, false-positive, or preverify-blocked.report-appendix.md and proof-pack/ with references/external-proof-pack.md for every report bundle. A secret gist link is mandatory because it carries the detailed PoC, helper files, the full report, and raw logs that the main form cannot hold comfortably. The final clean replay must also have an uploaded asciinema URL from references/asciinema-proof.md. The proof pack must include the standalone PoC code file and the decisive output-log file. The inline body must still name the exact bug, exploit path, run command, decisive output, then place PoC and logs: [gist-url](gist-url) and PoC runtime: [asciinema-url](asciinema-url) in that order with the asciinema line on the next non-empty line.validate_submission_bundle.py --bundle-dir <bundle-dir> --channel form after bundle prep and again immediately before submit. Treat any failure as a hard blocker.report-appendix.md as the primary upload rather than raw source files. Do not add unsolicited follow-up comments, moderator notes, or large code dumps after submission unless the reviewer asks for a missing detail or the original form could not carry a decisive replay step. Submit only after the validator passes and the visible form matches submission.json, including the required gist reference.confirmation.md.asciinema URL so the triager can immediately open the full PoC pack and recorded replay if needed.summary -> exact bug location -> root cause -> exploit path -> observed impact -> decisive PoC output -> minimal replay, but do not force those exact phrases as literal headings in the submitted text.Vulnerability Details code-first: show the vulnerable function or exact snippet immediately, then explain why that code path fails.Brief/Intro, Vulnerability Details, Impact Details, Output from POC, and Proof of Concept as local drafting aids only. In the final submission, prefer the platform's labels or tighter target-specific headings such as the exact function, endpoint, or failure mode.severity.md; recalculate only when the platform requires a different format or verified evidence changed.Output from POC or its field-equivalent must appear before the full PoC whenever a PoC exists.Output from POC or equivalent evidence block before the full PoC when logs, balances, tx results, or assertions make the impact obvious faster than code alone.report-appendix.md with the same self-contained detail structure instead of a raw .sol, .py, .js, .t.sol, or archive file whenever the platform accepts markdown or plain text.proof-pack/ and reference the resulting secret gist naturally in the summary/intro plus the evidence field or inline note. The body must still stand alone without that link.asciinema .cast, video, or logs may be uploaded only as evidence supplements. They must never be the only place where the triager can learn the core bug mechanics.artifacts.json, not to offload the core claim.could potentially, may allow, or similar hedging for the main claim.browser_snapshot before any drafting, before the first fill, and after each major section.browser_fill_form for standard controls and browser_type for editors with live validation.form-schema.json if hidden or dynamic fields appear after a selection.browser_file_upload only after submission.json, artifacts.json, and local artifact paths are final.severity.md and document any required format conversion in submission.json.Return:
artifacts.json and evidence/ pathsform-schema.json and submission.json pathsGuides completion of development work by verifying tests, detecting environment, and presenting structured options for merge, PR, or cleanup.
Guides creation and editing of skills using test-driven development with pressure scenarios and subagents to verify agent compliance.
Dispatches multiple subagents concurrently for independent tasks without shared state. Use when facing 2+ unrelated failures or subsystems that can be investigated in parallel.
npx claudepluginhub daothinh/spec-cdex --plugin bug-bounty-report-submitter