Bug bounty hunting used to be a hand-cramping cycle of ffuf, nuclei, httpx, and a forty-tab browser. This weekend I wired all of it behind one Claude Code agent and walked away with a draft report queued for HackerOne triage. Here is the architecture, the install, and what I learned in the first 90 minutes.
What Claude Bug Bounty Actually Is
Claude Bug Bounty is an open-source agent framework that hands Claude Code five specialized sub-agents:
| Sub-agent | Job |
|---|---|
| Recon | Subdomain enumeration, asset discovery, scope verification |
| Fuzzer | Endpoint discovery, parameter mining, auth-flow probing |
| Validator | PoC generation, severity scoring against CVSS 3.1 |
| Reporter | Markdown draft tuned for HackerOne / Bugcrowd templates |
| Triage | De-duplicates findings against known CVEs and prior reports |
The orchestrator decides which sub-agent to invoke based on the current state of the engagement. You drive it with plain English ("start with passive recon on this scope") instead of bash incantations.
60-Second Install
npm install -g @anthropic-ai/claude-code
git clone https://github.com/gptaiclips/claude-bug-bounty
cd claude-bug-bounty
cp .env.example .env # add HACKERONE_API_TOKEN, BUGCROWD_API_TOKEN
claude
Claude Code picks up the .claude/agents/ directory automatically. Type /recon https://target.example.com and it begins.
The Important Ethics Block
This tool is only legal on programs that explicitly authorize testing. Use it on HackerOne / Bugcrowd / Intigriti / YesWeHack scopes you have been invited to, or against your own assets. Pointing it at a random site is unauthorized access — the framework intentionally refuses targets that are not in a recognized program list.
What 90 Minutes Got Me
- 47 subdomains across the in-scope program
- 3 candidate IDORs (2 confirmed via the Validator sub-agent)
- 1 draft report at Medium severity (CVSS 6.5), submitted for triage
- Payouts in this program: $250 (Low) → $15,000 (Critical)
The Reporter sub-agent's draft was good enough that I made two wording edits and submitted. That is the part that surprised me — the report quality is what usually delays a payout, not the finding itself.
Full Walk-Through
The long-form video covers recon, fuzzing, validation, and reporting end-to-end, plus the payout math for HackerOne vs Bugcrowd vs Intigriti:
Free install guide (.env template, scope policy, agent prompts): gptaiclips.com/go/ep59
What is your first target program going to be? Drop it in the comments — I am tracking which scopes are most agent-friendly.
Top comments (0)