Skill

hackerone

Automates HackerOne bug bounty workflows: parses scope CSVs, deploys parallel pentesting agents per asset, validates PoCs with poc.py and output, generates submission reports. Use for HackerOne program testing.

Python

security

npx claudepluginhub transilienceai/communitytools

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Automates HackerOne workflows: scope parsing → parallel testing → PoC validation → submission reports.

Supporting Assets

reference/INTEGRATION_GUIDE.mdreference/sensitive-data-tracking.mdtools/__init__.pytools/csv_parser.pytools/report_validator.pytools/sensitive_data_tracker.py

SKILL.md

Similar Skills

hackenproof-triage-marketplace

Triages HackenProof bug bounty reports: validates scope, commit/version, PoC evidence, duplicates; assigns severity, state, labels, and comments.

4 files

hackenproof-triage

hackenproof-bulk-triage

Bulk triages open reports across assigned HackenProof programs: discovers reports via API, syncs local git repos, analyzes each, outputs structured recommendations for human review.

2 files

hackenproof-bulk-triage

coordination

223

Orchestrates penetration testing workflow by spawning executor and validator agents, managing attack-chain.md, experiments.md, recon, and validation for security engagements.

9 files

communitytools

Stats

Stars223

Forks44

Last CommitApr 9, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

HackerOne Bug Bounty Hunting

Automates HackerOne workflows: scope parsing → parallel testing → PoC validation → submission reports.

Quick Start

1. Input: HackerOne program URL or CSV file
2. Parse scope and program guidelines
3. Deploy Pentester agents in parallel (one per asset)
4. Validate PoCs (poc.py + poc_output.txt required)
5. Generate HackerOne-formatted reports

Workflows

Option 1: HackerOne URL

- [ ] Fetch program data and guidelines
- [ ] Download scope CSV
- [ ] Parse eligible assets
- [ ] Deploy agents in parallel
- [ ] Validate PoCs
- [ ] Generate submissions

Option 2: CSV File

- [ ] Parse CSV scope file
- [ ] Extract eligible_for_submission=true assets
- [ ] Collect program guidelines
- [ ] Deploy agents
- [ ] Validate and generate reports

Scope CSV Format

Expected columns:

identifier - Asset URL/domain
asset_type - URL, WILDCARD, API, CIDR
eligible_for_submission - Must be "true"
max_severity - critical, high, medium, low
instruction - Asset-specific notes

Use tools/csv_parser.py to parse.

Agent Deployment

Coordinator per asset — spawned inline using role prompts:

coordinator_role = Read("skills/coordination/SKILL.md")
Agent(prompt=f"{coordinator_role}\n\nTARGET: {asset_url}\nSCOPE: {program_guidelines}\nOUTPUT_DIR: ...",
      run_in_background=True)

Parallel Execution:

10 assets = 10 coordinator agents in parallel
Each spawns executor agents from skills/coordination/reference/executor-role.md
Time: 2-4 hours vs 20-40 sequential

PoC Validation (CRITICAL)

Every finding MUST have:

poc.py - Executable exploit script
poc_output.txt - Timestamped execution proof
workflow.md - Manual steps (if applicable)
Evidence screenshots/videos

Experimentation: Test edge cases, verify impact, document failures.

Report Format

Required sections (HackerOne standard):

Summary (2-3 sentences)
Severity (CVSS + business impact)
Steps to Reproduce (numbered, clear)
Visual Evidence (screenshots/video)
Impact (realistic attack scenario)
Remediation (actionable fixes)

Use tools/report_validator.py to validate.

Output Structure

Per OUTPUT.md - Bug Bounty format:

{OUTPUT_DIR}/
├── findings/
│   ├── finding-001/
│   │   ├── report.md           # HackerOne report
│   │   ├── poc.py              # Validated PoC
│   │   ├── poc_output.txt      # Proof
│   │   └── workflow.md         # Manual steps
├── reports/
│   ├── submissions/
│   │   ├── H1_CRITICAL_001.md  # Ready to submit
│   │   └── H1_HIGH_001.md
│   └── SUBMISSION_GUIDE.md
└── evidence/
    ├── screenshots/
    └── http-logs/

Program Selection

High-Value:

New programs (< 30 days)
Fast response (< 24 hours)
High bounties (Critical: $5,000+)
Large attack surface

Avoid:

Slow response (> 1 week)
Low bounties (Critical: < $500)
Overly restrictive scope

Critical Rules

MUST DO:

Validate ALL PoCs before reporting
Sanitize sensitive data
Test only eligible_for_submission=true assets
Follow program-specific guidelines
Generate CVSS scores

NEVER:

Report without validated PoC
Test out-of-scope assets
Include real user data
Cause service disruption

Quality Checklist

Before submission:

Tools

tools/csv_parser.py - Parse HackerOne scope CSVs
tools/report_validator.py - Validate report completeness
skills/coordination/SKILL.md — Coordinator skill (spawns executors/validators)

Integration

Uses skills/coordination/SKILL.md for coordination workflow. Follows OUTPUT.md for submission format.

Common Rejections

Out of Scope: Check eligible_for_submission=true Cannot Reproduce: Validate PoC, include poc_output.txt Duplicate: Search disclosed reports, submit quickly Insufficient Impact: Show realistic attack scenario

Usage

/hackerone <program_url_or_csv_path>