Use at the START of any bug bounty hunting session, when switching targets, or when feeling lost about what to do next. Master orchestrator that combines the 5-phase non-linear hunting workflow with the critical thinking framework (developer psychology, anomaly detection, What-If experiments). Routes to all other skills based on current hunting phase. Also use when asking "what should I do next" or "where am I in the process."
インストール
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
Use at the START of any bug bounty hunting session, when switching targets, or when feeling lost about what to do next. Master orchestrator that combines the 5-phase non-linear hunting workflow with the critical thinking framework (developer psychology, anomaly detection, What-If experiments). Routes to all other skills based on current hunting phase. Also use when asking "what should I do next" or "where am I in the process."
Bug Bounty Methodology: Workflow + Mindset
Master orchestrator for hunting sessions. Combines the 5-phase non-linear workflow with the critical thinking framework that separates top 1% hunters from the rest.
PART 1: MINDSET (How to Think)
Core Principle
Hunting is not "find a bug" -- it is "prove an attack scenario." Think like an attacker with a specific goal, not a scanner looking for patterns.
Daily Discipline: Define, Select, Execute
Before touching any tool:
Define: "Today I target [feature/domain] to achieve [CIA impact]"
Goal: Prove maximum business impact. Turn Low into Critical.
Escalation decision:
What did you find?
+-- XSS
| +-- Can steal cookie/token? -> Session hijack -> ATO
| +-- Cookie is HttpOnly? -> Force email change via XHR -> ATO
| +-- Self-XSS only? -> Find CSRF to trigger it
+-- IDOR
| +-- Can read PII? -> Automate scraping, show scale
| +-- Can change password/email? -> Direct ATO
| +-- UUID only? -> Find UUID leak source, then retry
+-- SSRF
| +-- DNS only? -> DON'T REPORT. Try cloud metadata
| +-- Can reach 169.254.169.254? -> Extract keys -> RCE
| +-- Internal port scan? -> Find Redis/K8s -> RCE
+-- SQLi
| +-- Error-based? -> Extract data (passwords, tokens)
| +-- Can INTO OUTFILE? -> Web shell -> RCE
| +-- Blind? -> Boolean/Time extraction
+-- Open Redirect
| +-- OAuth flow? -> Token theft -> ATO
| +-- javascript: scheme? -> XSS
+-- Blocked by defense
| -> Bypass (WAF/CSP/proxy/sanitizer/2FA)
+-- Low-impact, can't escalate alone
-> Find connector gadget for chain
After proving impact, check:
Can attack work with 0-1 clicks? (minimize prerequisites)
Does it affect all users or specific role?
What's the business $ impact?
Phase 5: VALIDATE & REPORT
Goal: Get paid. Make triager's job easy.
Pre-report gate (run ALWAYS — even if user didn't type /validate):
7-Question Gate:
Q1: Have exact HTTP request + actual response? (code reading alone = KILL)
OSS exception: code path traced + deployed version confirmed passively
Q2: Impact type accepted by program?
Q3: Asset in scope? (verified RIGHT NOW, not from memory)
Q4: No admin-only precondition?
Q5: Not known/documented behavior?
Q6: Proven beyond "technically possible"? (real data, not just 200 OK)
Q7: Not on never-submit list without a chain?
+-- All 7 pass? -> Run rejection prevention check, then write report
+-- Any fail? -> KILL the finding. Don't waste time.
Rejection prevention (5 platform rejection reasons — prevent BEFORE writing):
NOT REPRODUCIBLE: reproduced 2+ times from fresh session, curl command copy-pasteable
INFORMATIONAL: CVSS >= 4.0, or confirmed chain step reaching 4.0
OUT OF SCOPE: exact domain on scope page right now, not third-party
SPAM/DUPLICATE: searched Hacktivity + GitHub issues + recent disclosed reports
INVALID: adversarial skeptic run, framework FP checked, not documented behavior
Report (run even if user just says "write me a report" without /report):
+-- Platform-specific format (H1/Bugcrowd/Intigriti/Immunefi)
+-- Title: [Bug Class] in [Endpoint] allows [role] to [impact]
+-- Impact-first summary (sentence 1 = what attacker CAN do RIGHT NOW)
+-- Exact copy-pasteable HTTP request in Steps to Reproduce
+-- Actual response showing impact (not just 200 OK)
+-- Under 600 words
+-- CVSS 3.1 score that MATCHES actual impact (no overclaiming)
+-- No theoretical language: never "could potentially", "may allow"
After submission:
While waiting for triage: try to escalate further (A->B signal method)
If fix deployed: re-test for bypass (incomplete patch = new bug)
Record finding with /remember for hunt memory
PART 3: NAVIGATION & TIMING
Non-Linear Navigation Quick Reference
I'm stuck because...
Go to...
Can't find any subdomains
Phase 1: Try different recon sources, Google Dorks
Found subdomain but don't know what to test
Phase 2: Map the app, download JS, understand auth
Testing but nothing works
Phase 3: Switch vuln class (20-min rotation rule)
Found a bug but impact is low
Phase 4: Escalation paths or gadget chaining
WAF/CSP/403 blocking my payload
Bypass techniques, then return to current phase
Been stuck for 45 min on one param
STOP. Rabbit hole. Move to next endpoint.
New API endpoint discovered during testing
Return to Phase 2: map it before attacking
Found one bug
A->B signal: same dev made more mistakes. Hunt 20 min for siblings.
20-Minute Rotation Clock
Every 20 minutes ask yourself: "Am I making progress?"
Yes -> Continue
No -> Rotate to next: endpoint -> subdomain -> vuln class -> target
Been on same target 2+ weeks with no findings? -> Consider switching program
Tool Routing by Phase
Phase
Tools
Why this order
Recon: Subdomains
subfinder -> amass -> puredns -> httpx
Passive first (no detection) -> resolve DNS -> probe HTTP + tech stack
Recon: URLs
gau + waymore -> katana -> uro
Archive (forgotten endpoints) -> active crawl (JS-rendered) -> deduplicate
Recon: JS
jsluice + mantra + trufflehog --only-verified
Extract URLs/secrets -> find API keys -> verify keys actually work
Recon: Ports
naabu (wide) -> rustscan (deep)
Fast top-1000 sweep -> full 65535 on interesting targets
Recon: Scan
nuclei -tags cve -> nuclei -tags takeover
Known CVEs first -> then takeover (act immediately)