home / skills / transilienceai / communitytools / hackerone

hackerone skill

needs review

/projects/pentest/.claude/skills/hackerone

This skill automates HackerOne workflows by parsing scope CSVs, deploying parallel pentest agents, validating PoCs, and generating ready-to-submit reports.

npx playbooks add skill transilienceai/communitytools --skill hackerone

Review the files below or copy the command above to add this skill to your agents.

Files (10)

SKILL.md

4.3 KB

---
name: hackerone
description: HackerOne bug bounty automation - parses scope CSVs, deploys parallel pentesting agents for each asset, validates PoCs, and generates platform-ready submission reports. Use when testing HackerOne programs or preparing professional vulnerability submissions.
---

# HackerOne Bug Bounty Hunting

Automates HackerOne workflows: scope parsing → parallel testing → PoC validation → submission reports.

## Quick Start

```
1. Input: HackerOne program URL or CSV file
2. Parse scope and program guidelines
3. Deploy Pentester agents in parallel (one per asset)
4. Validate PoCs (poc.py + poc_output.txt required)
5. Generate HackerOne-formatted reports
```

## Workflows

**Option 1: HackerOne URL**
```
- [ ] Fetch program data and guidelines
- [ ] Download scope CSV
- [ ] Parse eligible assets
- [ ] Deploy agents in parallel
- [ ] Validate PoCs
- [ ] Generate submissions
```

**Option 2: CSV File**
```
- [ ] Parse CSV scope file
- [ ] Extract eligible_for_submission=true assets
- [ ] Collect program guidelines
- [ ] Deploy agents
- [ ] Validate and generate reports
```

## Scope CSV Format

Expected columns:
- `identifier` - Asset URL/domain
- `asset_type` - URL, WILDCARD, API, CIDR
- `eligible_for_submission` - Must be "true"
- `max_severity` - critical, high, medium, low
- `instruction` - Asset-specific notes

Use `tools/csv_parser.py` to parse.

## Agent Deployment

**Pentester Agent** per asset:
- Passes program-specific guidelines
- Tests all vulnerability types
- Returns validated findings with PoCs

**Parallel Execution**:
- 10 assets = 10 Pentester agents
- Each spawns 30+ specialized agents
- Total: 300+ concurrent tests
- Time: 2-4 hours vs 20-40 sequential

## PoC Validation (CRITICAL)

**Every finding MUST have**:
1. `poc.py` - Executable exploit script
2. `poc_output.txt` - Timestamped execution proof
3. `workflow.md` - Manual steps (if applicable)
4. Evidence screenshots/videos

**Experimentation**: Test edge cases, verify impact, document failures.

## Report Format

Required sections (HackerOne standard):
1. Summary (2-3 sentences)
2. Severity (CVSS + business impact)
3. Steps to Reproduce (numbered, clear)
4. Visual Evidence (screenshots/video)
5. Impact (realistic attack scenario)
6. Remediation (actionable fixes)

Use `tools/report_validator.py` to validate.

## Output Structure

Per OUTPUT.md - Bug Bounty format:

```
outputs/<program>/
├── findings/
│   ├── finding-001/
│   │   ├── report.md           # HackerOne report
│   │   ├── poc.py              # Validated PoC
│   │   ├── poc_output.txt      # Proof
│   │   └── workflow.md         # Manual steps
├── reports/
│   ├── submissions/
│   │   ├── H1_CRITICAL_001.md  # Ready to submit
│   │   └── H1_HIGH_001.md
│   └── SUBMISSION_GUIDE.md
└── evidence/
    ├── screenshots/
    └── http-logs/
```

## Program Selection

**High-Value**:
- New programs (< 30 days)
- Fast response (< 24 hours)
- High bounties (Critical: $5,000+)
- Large attack surface

**Avoid**:
- Slow response (> 1 week)
- Low bounties (Critical: < $500)
- Overly restrictive scope

## Critical Rules

**MUST DO**:
- Validate ALL PoCs before reporting
- Sanitize sensitive data
- Test only `eligible_for_submission=true` assets
- Follow program-specific guidelines
- Generate CVSS scores

**NEVER**:
- Report without validated PoC
- Test out-of-scope assets
- Include real user data
- Cause service disruption

## Quality Checklist

Before submission:
- [ ] Working PoC with poc_output.txt
- [ ] Accurate CVSS score
- [ ] Step-by-step reproduction
- [ ] Visual evidence
- [ ] Impact analysis
- [ ] Remediation guidance
- [ ] Sensitive data sanitized

## Tools

- `tools/csv_parser.py` - Parse HackerOne scope CSVs
- `tools/report_validator.py` - Validate report completeness
- `/pentest` skill - Core testing functionality
- Pentester agent - Orchestrates testing

## Integration

Uses `/pentest` skill and Pentester agent. Follows OUTPUT.md for submission format.

## Common Rejections

**Out of Scope**: Check `eligible_for_submission=true`
**Cannot Reproduce**: Validate PoC, include poc_output.txt
**Duplicate**: Search disclosed reports, submit quickly
**Insufficient Impact**: Show realistic attack scenario

## Usage

```bash
/hackerone <program_url_or_csv_path>
```

Overview

This skill automates HackerOne bug bounty workflows end-to-end: parse program scope, run parallel pentesting agents per asset, validate proof-of-concepts (PoCs), and produce HackerOne-ready submission reports. It speeds up large-scope testing by running many specialized checks concurrently and enforces strict PoC and report quality requirements.

How this skill works

Provide a HackerOne program URL or a scope CSV and the skill parses eligible assets and program guidelines. It deploys a pentester agent per asset (each spawning specialized sub-agents) to test vulnerabilities in parallel, collects validated PoCs, and formats findings into platform-compliant reports. Built-in validators check PoC artifacts, CVSS scoring, reproduction steps, and evidence before generating submission files.

When to use it

Testing a HackerOne program with many assets or broad scope
Preparing professionally formatted, validated submissions for HackerOne
Speeding up reconnaissance and validation by parallelizing tests
Verifying PoC reproducibility and collecting timestamped proof
Generating consistent, submission-ready reports at scale

Best practices

Only test assets with eligible_for_submission=true in the scope CSV
Always include a working poc.py and a timestamped poc_output.txt for each finding
Sanitize or avoid including real user data and sensitive information
Follow program-specific guidelines and check max_severity limits
Run the report validator to ensure HackerOne format and completeness

Example use cases

Import a program URL, parse its CSV scope, and run parallel agents to find and validate vulnerabilities across 100+ assets
Submit a single high-severity finding with a validated PoC, CVSS score, step-by-step reproduction, and remediation guidance
Triage a large scope by filtering eligible assets and prioritizing targets by max_severity and attack surface
Rapid testing of new programs (high response probability) to capture early, high-value vulnerabilities

FAQ

What files are required for a valid PoC?

Every finding requires an executable poc.py, a timestamped poc_output.txt, workflow.md for manual steps if needed, and visual evidence (screenshots or video).

Can I test all assets in parallel?

Yes — the skill deploys one pentester agent per asset and spawns specialized sub-agents; resource limits and program rules should guide concurrency.