Skill

hackenproof-triage-marketplace

Triages HackenProof bug bounty reports: validates scope, commit/version, PoC evidence, duplicates; assigns severity, state, labels, and comments.

security

npx claudepluginhub hackenproof-public/skills --plugin hackenproof-triage

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Execute consistent, evidence-based triage for HackenProof bug bounty reports.

Supporting Assets

agents/openai.yamlreferences/hackenproof-global-policy.mdreferences/severity-mapping.mdreferences/triage-comment-templates.md

SKILL.md

Similar Skills

hackenproof-bulk-triage

Bulk triages open reports across assigned HackenProof programs: discovers reports via API, syncs local git repos, analyzes each, outputs structured recommendations for human review.

2 files

hackenproof-bulk-triage

hackerone

223

Automates HackerOne bug bounty workflows: parses scope CSVs, deploys parallel pentesting agents per asset, validates PoCs with poc.py and output, generates submission reports. Use for HackerOne program testing.

6 files

communitytools

security-bounty-hunter

173.8k

Hunts exploitable, bounty-worthy security issues in repositories. Focuses on remotely reachable vulnerabilities qualifying for reports to Huntr, HackerOne, skipping local-only noise.

everything-claude-code

Stats

Parent Repo Stars15

Parent Repo Forks0

Last CommitMar 26, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

HackenProof Triage Marketplace

Execute consistent, evidence-based triage for HackenProof bug bounty reports.

Workflow

Apply global HackenProof classification baseline from references/hackenproof-global-policy.md.
Run pre-validation gates in strict order: a. Verify the reported commit/version is the intended in-scope commit. b. Verify the submission target and impact are in scope. c. Verify PoC evidence is provided and readable. d. Verify whether an equivalent duplicate already exists.
Start technical validation only after all pre-validation gates pass.
Classify severity, choose state transition, and apply labels.
Post a concise decision comment with explicit rationale and next action.

Mandatory Tool Sequence

Run get_program_info for scope and reward context.
Detect program type from get_program_info (for example: web, mobile, smart-contract, blockchain).
Map detected type to the equivalent vulnerability classification section in references/hackenproof-global-policy.md.
Run get_report_details to extract target, asset, and reported commit/version.
Run get_attachments; if no PoC evidence exists, set Need more info immediately.
Run fetch_attachment to confirm commit/version evidence in PoC files.
Compare commit/version against in-scope assets and versions from program rules.
Verify in-scope status for both target and claimed impact using program scope/rules, then global baseline if no override exists.
Run list_reports/search_comments to check duplicate candidates before validation.
Start validation: confirm reproducibility, impact, exploit preconditions, and proof quality.
Run get_comments before posting to avoid contradictory messaging.
Only then change severity, state, labels, and add comments.

Pre-Validation Gates

Gate 1: Commit or Version Match

Confirm the submission references a concrete commit hash, tag, or release version.
Confirm that commit/version maps to an in-scope repository, branch, deployment, or audit target.
If commit/version is missing or mismatched, set Need more info and request exact commit evidence.

Gate 2: Scope Match

Confirm target asset is in scope.
Confirm reported impact category is in scope for bounty eligibility.
Confirm the finding matches the equivalent classification track for the detected program type.
If either target or impact is excluded, mark Out of scope with explicit rule reference.

Gate 3: Duplicate Check

Search for same root cause and same impacted component before deep validation.
Treat as duplicate only when both root cause and impact match an existing report.
Add dup-{report_id} label when marking Duplicate.

Gate 4: PoC Presence Check

Confirm at least one usable PoC artifact exists (steps, payload, tx hash, video, logs, or attachment).
If no PoC is provided, set Need more info and request concrete PoC evidence.

Decision Rules

Reject or mark Need more info when PoC is missing, commit/version evidence is missing, or reproduction steps are incomplete with no verifiable PoC.
Mark Out of scope when target or impact is excluded by program scope/rules.
Mark Duplicate only when matching root cause and impact are confirmed; add dup-{report_id} label.
Use Informative/Not applicable for weak-impact findings that do not meet bounty criteria.
Move valid reports to Triaged with severity aligned to program policy and demonstrated impact.

Use references/severity-mapping.md for impact-to-severity normalization. Use references/hackenproof-global-policy.md for HackenProof-wide scope and severity baseline. Use references/triage-comment-templates.md for consistent responder tone and structure.

Quality Bar

Ground every decision in concrete evidence from report fields, attachments, or program rules.
Keep comments short, specific, and actionable; state exactly what is missing when requesting more info.
Never guess exploitability when evidence is weak; request clarification instead.
Prefer reversible actions (Need more info) over premature invalidation when uncertainty is material.