Research bug bounty programs from HackerOne/Bugcrowd/Intigriti - extract scope, bounties, exclusions, rules, and program intel using Playwright browser automation, Perplexity AI search, and HackerOne API
From greyhatccnpx claudepluginhub overtimepog/greyhatcc --plugin greyhatccThis skill uses the workspace's default tool permissions.
Designs and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.
Enables AI agents to execute x402 payments with per-task budgets, spending controls, and non-custodial wallets via MCP tools. Use when agents pay for APIs, services, or other agents.
Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.
Comprehensive bug bounty program research that extracts ALL program details needed before starting an engagement.
/greyhatcc:program <HackerOne URL or program handle> — Full program research/greyhatcc:program <URL> --quick — Scope-only extraction (skip deep research)HackerOne pages require JavaScript rendering — WebFetch returns empty HTML. This skill orchestrates Playwright browser automation (primary), HackerOne API (when configured), and Perplexity AI search (supplementary) to extract every detail needed for Phase 0 of a bug bounty engagement.
Without this skill, Phase 0 requires manual browsing and copy-pasting. With it, the entire program research phase is automated into structured files ready for the engagement.
Parse the input to determine:
https://hackerone.com/<handle> or https://hackerone.com/<handle>?type=team → extract <handle>https://bugcrowd.com/<handle> → extract handle, adjust scraping selectorsmeesho_bbp → assume HackerOne, construct URLHANDLE = extracted program handle (e.g., "meesho_bbp")
PLATFORM_URL = full program URL
PROGRAM_DIR = bug_bounty/<handle>_bug_bounty/
Use a multi-source approach — no single source has everything:
| Source | What It Gets | Reliability | Speed |
|---|---|---|---|
| HackerOne API MCP | Program detail, structured scopes, bounty table, policy, hacktivity, stats | HIGHEST (official API, structured JSON) | 1-3s |
| Playwright MCP | Visual scope table, bounty table, exclusions, policy text (for JS-rendered content not in API) | HIGH (renders JS) | 10-20s |
| Perplexity | Program context, tech stack, previous disclosures, company intel | MEDIUM (AI search) | 3-5s |
| OpenRouter (minimax) | Large-context analysis and synthesis of all gathered data | HIGH (reasoning) | 5-10s |
| Context7 | Live framework documentation for detected technologies — default configs, hidden endpoints | HIGH (current docs) | 2-4s |
| WebSearch | Additional program intel, disclosed reports, writeups | MEDIUM | 2-3s |
Use the HackerOne MCP server for instant structured data extraction. Run ALL of these in parallel:
Use: mcp__plugin_greyhatcc_hackerone__h1_program_detail
Arguments: { handle: "<HANDLE>" }
Returns: Program name, description, state, response efficiency, stats, created_at, bounty info.
Use: mcp__plugin_greyhatcc_hackerone__h1_structured_scopes
Arguments: { handle: "<HANDLE>", page_size: 100 }
Returns: All scope assets with type, identifier, bounty eligibility, max_severity, instructions.
Use: mcp__plugin_greyhatcc_hackerone__h1_bounty_table
Arguments: { handle: "<HANDLE>" }
Returns: Bounty ranges by severity (Critical/High/Medium/Low).
Use: mcp__plugin_greyhatcc_hackerone__h1_program_policy
Arguments: { handle: "<HANDLE>" }
Returns: Full policy text including rules, exclusions, safe harbor, disclosure policy.
Use: mcp__plugin_greyhatcc_hackerone__h1_hacktivity
Arguments: { handle: "<HANDLE>", page_size: 50 }
Returns: Recently disclosed/resolved reports — shows what vulns have been found before.
Use: mcp__plugin_greyhatcc_hackerone__h1_auth_status
Verify API access is working before relying on API data.
If API is not configured or fails: Fall through to Step 1 (Playwright). The API data is preferred but not required — Playwright can extract the same data visually.
If API succeeds: You can SKIP Step 1 (Playwright) for data extraction. Still use Playwright in Step 1b for screenshots only.
Use the Playwright MCP tools to browse the HackerOne program page and extract all data.
Use: mcp__plugin_playwright_playwright__browser_navigate
URL: https://hackerone.com/<HANDLE>
Wait for the page to fully load. HackerOne is a React SPA — content loads asynchronously.
Use: mcp__plugin_playwright_playwright__browser_wait_for
Wait for: text "Policy" or text "Scope" or text "In scope" (indicates page has loaded)
Timeout: 15000ms
Use: mcp__plugin_playwright_playwright__browser_take_screenshot
Save to PROGRAM_DIR/evidence/program_page.png
Use: mcp__plugin_playwright_playwright__browser_snapshot
From the accessibility snapshot, extract:
Use: mcp__plugin_playwright_playwright__browser_navigate
URL: https://hackerone.com/<HANDLE>/policy_scopes
Or click the "Policy" tab if visible. Wait for scope tables to render.
Use: mcp__plugin_playwright_playwright__browser_snapshot
From the snapshot, systematically extract:
In-Scope Assets:
Out-of-Scope Assets:
Bounty Table:
Look for these sections in the page content:
If the snapshot doesn't capture table data well, use browser_evaluate to extract via DOM:
Use: mcp__plugin_playwright_playwright__browser_evaluate
Script: |
// Extract scope tables
const tables = document.querySelectorAll('table');
const data = [];
tables.forEach(t => {
const rows = [...t.querySelectorAll('tr')].map(r =>
[...r.querySelectorAll('td, th')].map(c => c.textContent.trim())
);
data.push(rows);
});
// Extract policy text
const policySections = document.querySelectorAll('[class*="policy"], [class*="scope"], [class*="markdown"]');
const policyText = [...policySections].map(s => s.textContent.trim());
JSON.stringify({ tables: data, policy: policyText });
If Step 0 (API) was skipped or partially failed, and H1_API_TOKEN env var exists, retry individual API calls here to fill gaps in Playwright data. If Step 0 succeeded fully, skip this step.
Cross-reference API data with Playwright data to ensure completeness — the API provides structured JSON while Playwright captures JS-rendered visual content.
Run these queries in parallel using mcp__perplexity-ask__perplexity_ask:
Query: "<COMPANY_NAME> bug bounty program scope technology stack infrastructure 2025 2026"
Extract: Tech stack, known infrastructure, cloud providers, key domains
Query: "<COMPANY_NAME> HackerOne disclosed reports vulnerabilities hacktivity 2024 2025"
Extract: Previously found vuln types, researcher names, bounty amounts paid
Query: "<COMPANY_NAME> engineering blog tech stack microservices API architecture"
Extract: Internal tech choices, API patterns, frameworks, mobile app tech
Run in parallel with Perplexity:
Use: WebSearch
Query: "site:hackerone.com <HANDLE> disclosed"
Use: WebSearch
Query: "<COMPANY_NAME> bug bounty writeup 2024 2025"
bug_bounty/<HANDLE>_bug_bounty/
scope.md ← Full program scope document
attack_plan.md ← Prioritized attack plan
findings_log.md ← Empty findings log (template)
gadgets.json ← Empty gadget inventory
tested.json ← Empty tested tracker
submissions.json ← Empty submissions tracker
recon/ ← Recon artifacts directory
reports/ ← Reports directory
evidence/ ← Evidence directory
program_page.png ← Screenshot from Step 1b
scripts/ ← Custom scripts directory
notes/ ← Research notes directory
program_research.md ← Full research notes from all sources
This is the most critical file. It feeds into ALL other skills via the context-loader protocol.
# <Program Name> Bug Bounty Program
**Platform:** HackerOne
**URL:** https://hackerone.com/<HANDLE>
**Researcher:** overtimedev
**Date Researched:** YYYY-MM-DD
**Program Type:** Managed / Community / Private
## Response Targets
| Metric | Target |
|--------|--------|
| Time to first response | X business days |
| Time to triage | X business days |
| Time to bounty | X business days |
| Time to resolution | X business days |
## Program Statistics
- Reports resolved: X
- Hackers thanked: X
- Bounties paid: $X
- Average bounty: $X (if available)
## Bounty Table
| Severity | Range |
|----------|-------|
| Critical | $X - $Y |
| High | $X - $Y |
| Medium | $X - $Y |
| Low | $X - $Y |
## In-Scope Assets
| Asset | Type | Priority/Tier | Bounty Eligible | Notes |
|-------|------|--------------|-----------------|-------|
| example.com | Domain | Critical | Yes | Main domain |
| ... | ... | ... | ... | ... |
## Out-of-Scope Assets
| Asset | Type | Reason |
|-------|------|--------|
| ... | ... | ... |
## Program Rules
- [ list every rule that constrains testing ]
- Required headers: ...
- Account restrictions: ...
- Rate limits: ...
- Prohibited methods: ...
## Non-Qualifying Vulnerabilities (EXCLUSION LIST)
**CHECK EVERY FINDING AGAINST THIS LIST BEFORE WRITING A REPORT**
- [ full list of excluded vulnerability types ]
## Safe Harbor
[ safe harbor statement if present ]
## Disclosure Policy
[ coordinated / full / private — terms ]
## Additional Notes
[ any program-specific notes, special instructions, tips from research ]
Based on the scope and research, create a prioritized attack plan:
# Attack Plan: <Program Name>
## Priority Targets (by bounty potential and attack surface)
### Tier 1 — Highest Value
1. **[asset]** — [why it's high value: large attack surface, complex auth, payment flows, etc.]
- Test vectors: [specific tests to run]
- Tools: [specific skills/tools to use]
### Tier 2 — Medium Value
...
### Tier 3 — Quick Wins
...
## Attack Vectors to Prioritize
Based on tech stack (<identified tech>):
1. [vector] — [why]
2. [vector] — [why]
## Known Previous Findings
From disclosed reports and research:
- [finding type] — [was it patched? can we find variants?]
## Recon Tasks (Phase 1)
- [ ] Subdomain enumeration → /greyhatcc:subdomains
- [ ] Port scanning → /greyhatcc:portscan
- [ ] JS analysis → /greyhatcc:js
- [ ] Cloud recon → /greyhatcc:cloud
- [ ] Shodan intel → /greyhatcc:shodan
- [ ] Tech fingerprint on each in-scope domain
- [ ] WAF detection on each in-scope domain
findings_log.md:
# Findings Log: <Program Name>
| # | Date | Asset | Title | Severity | Status | Report |
|---|------|-------|-------|----------|--------|--------|
gadgets.json:
{"gadgets": [], "chains": []}
tested.json:
{"tested": []}
submissions.json:
{"submissions": []}
Dump ALL raw research data here — Perplexity responses, search results, API data, page content. This is the reference document for the full engagement.
After creating all files, auto-invoke the scope-management skill to create .greyhatcc/scope.json from the extracted data:
Invoke: scope-management skill
Action: init <HANDLE> with extracted scope data
Print a summary to the user:
## Program Research Complete: <Program Name>
**Scope:** X in-scope assets, Y out-of-scope, Z exclusion rules
**Bounties:** $Low_min-$Critical_max range
**Stats:** X reports resolved, $Y avg bounty
### Top Priority Targets
1. [target] — [why]
2. [target] — [why]
3. [target] — [why]
### Key Exclusions to Watch
- [most important exclusions that could waste submissions]
### Recommended Next Steps
1. `/greyhatcc:recon <primary_target>` — Start Phase 1 recon
2. `/greyhatcc:subdomains <root_domain>` — Subdomain enumeration
3. `/greyhatcc:shodan <primary_target>` — Shodan intelligence
Files created in: bug_bounty/<HANDLE>_bug_bounty/
After identifying the tech stack from fingerprinting (Step 1) and Perplexity research (Step 3), use Context7 MCP to pull up-to-date documentation for each identified technology. This reveals:
For each major technology identified in the target's stack:
Step 1: Resolve the library ID
Use: mcp__Context7__resolve-library-id
libraryName: "<technology name>" (e.g., "next.js", "spring-boot", "express", "django")
query: "security configuration authentication vulnerabilities"
Step 2: Query security-relevant docs
Use: mcp__Context7__query-docs
libraryId: "<resolved library ID>" (e.g., "/vercel/next.js")
topic: "security configuration authentication middleware CORS headers"
| If Detected | Context7 Query Focus | What to Extract |
|---|---|---|
| Next.js | Auth middleware, API routes, CORS, CSP, rewrites | Default CORS behavior, middleware bypass patterns, API route auth |
| Spring Boot | Actuator, security config, CORS, CSRF | Default actuator endpoints, security filter chain, CORS config |
| Express/Node | Middleware, CORS, helmet, session, auth | Default middleware order, session config, CORS options |
| Django | Security settings, CSRF, auth, middleware | SECURE_* settings defaults, middleware stack, auth backends |
| React | XSS sink patterns, security best practices | Unsafe rendering patterns, CSP integration |
| GraphQL (Apollo/Yoga) | Introspection, depth limiting, auth directives | Default introspection behavior, query complexity settings |
| AWS SDK | S3 permissions, IAM, Cognito, Lambda | Default bucket policies, Cognito user pool config |
| Firebase | Security rules, auth, storage rules | Default Firestore/Storage rules, auth config |
| WordPress | REST API, authentication, plugins | REST API default exposure, xmlrpc, auth endpoints |
/_next/data/)After identifying the tech stack, consult the reference-guides skill to identify attack vectors:
Invoke: reference-guides skill
Query: <identified tech stack components>
Cross-reference the identified technologies with vulnerability-specific cheatsheets:
| Tech Detected | Primary Reference | Attack Vectors |
|---|---|---|
| React/Next.js | HackTricks + PayloadsAllTheThings | Prototype pollution, DOM XSS, SSRF via SSR |
| GraphQL | HackTricks GraphQL + clairvoyance | Introspection, batching, alias abuse, field-level authz |
| OAuth/OIDC | HackTricks OAuth + OWASP cheatsheet | Token theft, redirect manipulation, scope escalation |
| JWT | HackTricks JWT + jwt_tool | None alg, RS256→HS256, kid injection |
| AWS/S3 | HackTricks Cloud + cloud_enum | Bucket takeover, IAM abuse, SSRF to metadata |
| Spring Boot | PayloadsAllTheThings + HackTricks | Actuator exposure, SSTI, deserialization |
| WordPress | HackTricks + WPScan | REST API abuse, plugin vulns, xmlrpc |
| Mobile App | OWASP MAS + Frida + objection | SSL pinning bypass, deeplink injection, local storage |
Methodology:
Payloads:
Tools:
Include relevant references in the attack_plan.md for each priority target.
| Error | Recovery |
|---|---|
| Playwright fails to load page | Retry once, then fall back to Perplexity + WebSearch only |
| HackerOne returns 403/404 | Program may be private or handle is wrong — ask user to verify |
| No scope tables found | Try /policy_scopes URL directly, or extract from policy text |
| Rate limited | Wait 30s and retry |
| Cloudflare challenge | Use browser_handle_dialog if prompted, or wait for challenge to pass |
| Empty page after load | Increase wait time to 30s, scroll to trigger lazy loading |
For parallel execution, delegate research tasks to agents:
osint-researcher — Company OSINT, employee enumeration, tech stack researchrecon-specialist-low — Quick tech fingerprint and DNS lookup on scope assetsBut the Playwright browsing must happen in the main context (MCP tools aren't available to subagents).
Before executing this skill:
.greyhatcc/scope.json — verify target is in scope, note exclusions.greyhatcc/hunt-state.json — check active phase, resume contextfindings_log.md, tested.json, gadgets.json — avoid duplicating workWhen delegating to agents via Task(), ALWAYS:
After completing this skill:
tested.json — record what was tested (asset + vuln class)gadgets.json — add any informational findings with provides/requires tags for chainingfindings_log.md — log any confirmed findings with severity