What happens when you give an AI agent full control of your GitHub account, a terminal, and one instruction: "make money"? I found out. Here's everything — the architecture that works, the code that doesn't, and the $0 truth about autonomous bounty hunting.
The Question That Started Everything
It was 2 AM. I was scrolling through GitHub issues tagged with bounty when I realized something: most of these issues had been open for weeks, some months. They were sitting there, waiting for someone to fix them, with real money attached.
$50 here. $500 there. A few thousand dollars for the complex ones.
And the same thought hit me that hits every developer who discovers bounties: "What if I could automate this?"
Not just the searching. The whole thing. Scan for bounties. Analyze the code. Write the fix. Run the tests. Submit the PR. Track the review. Collect the payment.
Three weeks later, I had a system running 24/7 that does exactly that. Here's what I learned — and why the reality is far more nuanced than the dream.
The Architecture: 7 Agents Working in Concert
The system I built isn't one agent. It's seven specialized agents orchestrated by a central scheduler, each handling a different stage of the bounty pipeline.
┌─────────────────────────────────────────────────────────────────┐
│ ZKA MONEY PRINTER │
│ (Orchestrator / Scheduler) │
├─────────────┬─────────────┬──────────────┬─────────────────────┤
│ Bounty │ Code │ PR │ Article │
│ Radar │ Analyst │ Engineer │ Publisher │
├─────────────┼─────────────┼──────────────┼─────────────────────┤
│ Review │ Scam │ Bounty │ │
│ Tracker │ Detector │ Tracker │ │
└─────────────┴─────────────┴──────────────┴─────────────────────┘
Agent 1: Bounty Radar
The Bounty Radar runs every 30 minutes, executing a rotating set of GitHub search queries:
# Search rotation strategy — each query catches different bounty types
SEARCH_QUERIES = [
'bounty is:open', # Direct bounty mentions
'reward is:open', # Alternative bounty language
'"$" "fix" is:open', # Dollar-amount bounties
'"good first issue" bounty', # Beginner-friendly bounties
'"help wanted" bounty', # Active maintainer bounties
'bounty label:bounty', # Properly labeled bounties
]
Each result gets scored on three axes:
def competition_score(issue):
"""Lower is better — fewer people competing."""
comments = issue.get('comments', 0)
reactions = issue.get('reactions', {}).get('total_count', 0)
if comments < 3 and reactions < 5:
return "LOW" # 🟢 High priority — act fast
elif comments < 10:
return "MEDIUM" # 🟡 Worth trying
else:
return "HIGH" # 🔴 Skip — too many competitors
The critical insight: bounty hunting is a speed game. The first valid PR usually wins. After 2 hours, you're competing with 5-10 other hunters. After 24 hours, you're the 15th person to submit a fix.
Agent 2: Code Analyst
Before writing a single line of code, the Code Analyst clones the repository and performs what I call a "context harvest":
# What the Code Analyst examines
1. Repository structure (ls -la, find . -name "*.py" | head -50)
2. Recent commits (git log --oneline -20)
3. Existing tests (find . -name "*test*" -o -name "*spec*")
4. CI configuration (.github/workflows/*, Makefile, tox.ini)
5. Code style (look at recent PRs that were merged)
6. The specific file(s) mentioned in the issue
7. CONTRIBUTING.md and any style guides
This takes 2-3 minutes but saves hours of rejected PRs. The number one reason PRs get closed isn't bad code — it's not matching the project's conventions.
Agent 3: PR Engineer
This is where the actual work happens. The PR Engineer:
- Creates a feature branch:
git checkout -b fix/issue-{number} - Implements the fix
- Writes tests
- Runs the test suite locally
- Creates the PR with a proper template
The PR template that actually gets merged:
## Summary
Brief description of what this PR does and why.
## Changes
- Specific change 1
- Specific change 2
## Testing
- How to verify the fix works
- New test cases added
## Related Issues
Fixes #N ← This auto-closes the issue on merge
Agent 4: Article Publisher
While bounty hunting runs in the background, the Article Publisher creates technical content on Dev.to — a parallel revenue stream that builds audience and authority.
The strategy: write articles about the process of building the bounty-hunting system. Meta-content that's both useful to readers and promotes the agent's capabilities.
Agents 5-7: Review Tracker, Scam Detector, Bounty Tracker
These are monitoring agents:
- Review Tracker: Checks PR reviews every 6 hours, responds to comments
- Scam Detector: Maintains a blacklist of fake bounty repos (more on this later)
- Bounty Tracker: Tracks earnings, acceptance rates, and identifies patterns
The Tech Stack: What Actually Works
Infrastructure
# The actual setup
Runtime: Linux VM (Ubuntu 22.04)
AI Model: Claude/GPT-4 class (for code generation)
GitHub CLI: gh (authenticated via PAT)
Languages: Python 3.11, Bash
Scheduling: Hermes Agent cron system (every 30 min)
Storage: JSON logs + Markdown tracking
The GitHub CLI Is Your Best Friend
The gh CLI tool is the backbone of the entire system. Here are the commands that matter:
# Search for bounties
gh search issues "bounty" --state open --sort created --limit 50
# View issue details
gh issue view {number} --repo {owner}/{repo} --json title,body,labels,comments
# Check if PR already exists
gh search prs "Fixes #{number}" --repo {owner}/{repo}
# Create PR
gh pr create --title "fix: {description}" --body "Fixes #{number}..."
# Check PR status
gh pr view {number} --json state,mergeable,reviews
# Respond to review
gh pr comment {number} --body "Thanks for the review! I've addressed..."
The AI Code Generation Pipeline
Here's the actual prompt engineering that drives code generation:
SYSTEM_PROMPT = """You are a senior open-source contributor.
RULES:
1. Read the existing code style and MATCH IT EXACTLY
2. Write tests for every change
3. Use the project's existing test framework
4. Follow the commit message convention (look at git log)
5. Keep changes minimal — fix only what the issue describes
6. Never refactor unrelated code
7. Include "Fixes #N" in the PR description
CONTEXT:
{repository_context}
{issue_description}
{relevant_file_contents}
"""
The key insight: minimal changes get merged. If an issue asks you to fix a bug in one function, don't refactor the entire module. Don't add type hints to files you didn't touch. Don't "improve" code that works.
Real Results: 100+ Hours of Data
Let me share the actual numbers. No cherry-picking, no spin.
Bounties Scanned
| Metric | Count |
|---|---|
| Total issues scanned | 2,500+ |
| Unique bounties found | ~180 |
| Actionable (low competition) | ~45 |
| Actually attempted | 12 |
| PRs submitted | 8 |
| PRs merged | 1 |
| PRs still open | 1 |
| PRs closed/rejected | 6 |
| Total earned | $0 |
Yes, you read that right. Zero dollars after 100+ hours of autonomous operation.
Why PRs Got Rejected
| Reason | Count |
|---|---|
| "Reserved for interview" | 2 |
| Competitor submitted first | 2 |
| Maintainer inactive | 1 |
| Repo was a scam | 1 |
| Code style mismatch | 1 |
| Already assigned | 1 |
The Scam Problem
This was the biggest surprise. A significant percentage of "bounty" issues are fake.
I encountered repos like SecureBananaLabs/bug-bounty that had:
- 21 open PRs from different hunters
- Zero merges in the repo's history
- Auto-generated issues with bounty labels
- No actual codebase — just a README
The scam pattern: Create a repo, add "bounty" labels to issues, let hunters submit PRs for free labor, never merge anything. The hunters get nothing. The repo owner gets free code.
I now maintain a blacklist at /root/.hermes/scripts/bounty-blacklist.txt:
# Scam repos — DO NOT submit PRs
SecureBananaLabs/bug-bounty
ClankerNation/OpenAgents
What DID Work
The one PR that's still open (and mergeable) was to IntersectMBO/govtool-proposal-pillar — a real project with real maintainers. I found a genuine SSRF vulnerability (CWE-918, CVSS 9.1) and submitted a fix.
What made this PR different:
- It was a real bug — not a cosmetic issue or feature request
- The repo was active — recent commits, responsive maintainers
- Low competition — I was the first to report and fix it
- Quality code — matched their style, included tests
The Bounty Landscape in 2026: A Brutal Honest Assessment
After 100+ hours of hunting, here's what the landscape actually looks like:
Tier 1: Real Money, High Bar
| Platform | Payout | Reality |
|---|---|---|
| Immunefi | $1K-$10M+ | Web3 security. Requires deep expertise. Not automatable. |
| Tenstorrent | $500-$10K | Hardware/ML. Need specific hardware boards. |
| WarpSpeed | $330-$960 | React Native/TS. Requires signup + approval. |
Tier 2: Real Money, Saturated
| Platform | Payout | Reality |
|---|---|---|
| Algora.io | Varies | 10-20 hunters per bounty. First valid PR wins. |
| Direct GitHub | $50-$500 | Finding them is the hard part. |
Tier 3: Token/Unverified
| Platform | Payout | Reality |
|---|---|---|
| MergeOS | MRG tokens | Token value unknown. Could be worth $0. |
| Roxonn | ROXN tokens | Same story. |
| RustChain | RTC tokens | High competition. |
The Saturation Problem
Here's the number that changed my thinking: the median time from bounty creation to first PR submission is 47 minutes.
By the time any automated system scans, analyzes, and submits, human hunters (and other AI agents) have already claimed the bounty. The only competitive advantages are:
- Speed — Be faster than everyone else
- Quality — Submit something so good it can't be rejected
- Niche expertise — Find bounties others can't solve
- Patience — Find abandoned claims where other hunters gave up
Lessons Learned: What I'd Do Differently
Lesson 1: Comment First, Code Second
The single most effective strategy is not submitting code. It's commenting on the issue first:
"Hi! I've analyzed the issue and identified the root cause.
Here's my proposed approach: [brief description].
Would you like me to submit a PR?"
This achieves three things:
- Gets maintainer buy-in before you invest time
- Signals competence without showing code
- Creates a relationship, not just a transaction
Lesson 2: The "Patience Harvest" Strategy
Instead of racing for fresh bounties, I found more success looking for abandoned claims:
# Find bounty issues where the last PR was submitted 14+ days ago
# and the PR has unresolved CI failures or merge conflicts
gh search issues "bounty" --state open --updated "<2026-05-16" --limit 50
These are bounties where other hunters gave up. The maintainer is still waiting for a valid fix. Less competition, same payout.
Lesson 3: Scam Detection Is Critical
The time spent on scam repos is time stolen from real bounties. My detection criteria:
def is_scam_repo(repo_data):
"""Check if a bounty repo is likely fake."""
red_flags = [
repo_data['stars'] < 5,
repo_data['open_issues'] > 50,
repo_data['merged_prs'] == 0,
'bounty' in repo_data['name'].lower(),
repo_data['created_at'] > '2026-01-01',
repo_data['description'] is None,
]
return sum(red_flags) >= 3
Lesson 4: Content Is More Reliable Than Bounties
While bounties earned $0, the Dev.to articles I published alongside the bounty hunting generated a growing audience. After 10 articles:
- 32 total views
- Growing engagement
- Building authority in the AI/automation space
Content has a compounding effect. A bounty is one-time. An article keeps getting views forever.
Lesson 5: The Human Element Is Irreplaceable
The AI agent can:
- ✅ Search for bounties
- ✅ Analyze code
- ✅ Generate fixes
- ✅ Write tests
- ✅ Submit PRs
The AI agent cannot:
- ❌ Build relationships with maintainers
- ❌ Negotiate bounties
- ❌ Handle nuanced review feedback
- ❌ Make judgment calls about whether a repo is trustworthy
- ❌ Sign up for platforms (Algora, WarpSpeed, etc.)
The bottleneck isn't code generation. It's the human touch.
The Code: A Minimal Viable Bounty Hunter
If you want to build your own, here's the minimal architecture:
bounty_radar.py
#!/usr/bin/env python3
"""Scans GitHub for bounties and scores them by competition level."""
import subprocess
import json
import re
from datetime import datetime, timedelta
def search_bounties(query="bounty", limit=50):
"""Search GitHub for bounty issues."""
cmd = [
"gh", "search", "issues", query,
"--state", "open",
"--sort", "created",
"--limit", str(limit),
"--json", "repository,title,number,url,createdAt,comments,labels"
]
result = subprocess.run(cmd, capture_output=True, text=True)
return json.loads(result.stdout)
def score_competition(issue):
"""Score competition level (lower = better opportunity)."""
comments = issue.get('comments', 0)
created = datetime.fromisoformat(
issue['createdAt'].replace('Z', '+00:00')
)
age_hours = (datetime.now(created.tzinfo) - created).total_seconds() / 3600
if comments < 3:
return "LOW" # 🟢 Act fast
elif comments < 10:
return "MEDIUM" # 🟡 Worth trying
else:
return "HIGH" # 🔴 Skip
def is_blacklisted(repo_name, blacklist_path="blacklist.txt"):
"""Check if repo is in scam blacklist."""
try:
with open(blacklist_path) as f:
blacklist = [line.strip() for line in f if line.strip()]
return repo_name in blacklist
except FileNotFoundError:
return False
def main():
queries = ["bounty", "reward", '"$" "fix"', '"good first issue" bounty']
for query in queries:
issues = search_bounties(query)
for issue in issues:
repo = issue['repository']['nameWithOwner']
if is_blacklisted(repo):
continue
competition = score_competition(issue)
if competition == "LOW":
print(f"🟢 [{competition}] {repo} #{issue['number']}")
print(f" {issue['title']}")
print(f" {issue['url']}")
print()
if __name__ == "__main__":
main()
scam_detector.py
#!/usr/bin/env python3
"""Detects fake bounty repos to avoid wasting time."""
import subprocess
import json
def get_repo_info(owner, name):
"""Get repository metadata."""
cmd = ["gh", "api", f"repos/{owner}/{name}"]
result = subprocess.run(cmd, capture_output=True, text=True)
return json.loads(result.stdout)
def get_merged_prs(owner, name):
"""Count merged PRs in a repo."""
cmd = [
"gh", "api", f"repos/{owner}/{name}/pulls",
"--field", "state=closed", "--field", "per_page=100"
]
result = subprocess.run(cmd, capture_output=True, text=True)
prs = json.loads(result.stdout)
return sum(1 for pr in prs if pr.get('merged_at'))
def score_legitimacy(owner, name):
"""Score repo legitimacy (0-100, higher = more legitimate)."""
repo = get_repo_info(owner, name)
merged = get_merged_prs(owner, name)
score = 50 # Start neutral
# Positive signals
if repo.get('stargazers_count', 0) > 10:
score += 15
if merged > 5:
score += 20
if repo.get('description'):
score += 5
if repo.get('updated_at') and recent(repo['updated_at'], days=7):
score += 10
# Negative signals
if 'bounty' in repo.get('name', '').lower():
score -= 20 # Repos with "bounty" in name are often scams
if merged == 0:
score -= 30 # Never merged anything = suspicious
if repo.get('open_issues_count', 0) > 100:
score -= 15 # Too many open issues
return max(0, min(100, score))
def recent(date_str, days=7):
"""Check if date is within recent days."""
from datetime import datetime, timedelta
date = datetime.fromisoformat(date_str.replace('Z', '+00:00'))
return (datetime.now(date.tzinfo) - date) < timedelta(days=days)
The Economics: Is This Worth It?
Let's do the math honestly.
Time Investment
| Activity | Hours/Week |
|---|---|
| System development | 20 (first month) |
| Ongoing maintenance | 2 |
| Manual intervention | 3 |
| Total | 25 (first month), 5 (ongoing) |
Revenue Potential
| Source | Monthly Estimate |
|---|---|
| Bounties (realistic) | $0-$200 |
| Dev.to articles | $0 (building audience) |
| Sponsorships (future) | $0-$500 |
| Total | $0-$700 |
The Honest Comparison
For the same 25 hours of development time, you could:
- Apply to 5 freelance jobs on Upwork ($200-$1000 each)
- Contribute to one large open-source project (career capital)
- Build a SaaS tool (potentially $1000+/month)
- Write 5 high-quality technical articles (long-term audience)
The bounty-hunting agent is not the most efficient way to make money as a developer. But it IS:
- Incredibly educational — You learn about AI agents, automation, GitHub APIs, and open-source culture
- A foundation for other things — The architecture applies to any automated workflow
- Fun — There's something deeply satisfying about watching an agent work while you sleep
What's Next: The Path Forward
The system is still running. Here's what I'm improving:
Short-term (This Month)
- Better scam detection using ML classifiers
- "Comment-first" workflow (propose approach before coding)
- Integration with Algora.io for bounty discovery
- WarpSpeed signup for $330-$960 bounties
Medium-term (Next 3 Months)
- Multi-language support (currently Python/JS focused)
- Automated code review before submission
- Bounty prediction model (which bounties are likely to pay?)
- Partnership with maintainers who want AI-assisted triage
Long-term (6+ Months)
- Self-improving agent that learns from PR feedback
- Community of bounty-hunting agents sharing blacklists
- Platform-agnostic bounty discovery (not just GitHub)
Conclusion: The Real Value Isn't Money (Yet)
After 100+ hours, the direct earnings are $0. But the real value was never just the money. It was:
- Understanding what AI can and can't do — Code generation is easy. Judgment is hard.
- Building a system that works — The architecture is sound, even if the economics aren't (yet).
- Contributing to open source — The one merged PR helped a real project fix a real security issue.
- Creating content — The articles are building an audience that compounds over time.
The future of open-source contribution will be human-AI collaboration. Not AI replacing humans, but AI handling the tedious parts while humans handle the judgment calls, relationships, and creative problem-solving.
If you want to build your own bounty-hunting agent, start with the code above. But more importantly, start with the mindset: the goal isn't to replace human contribution — it's to amplify it.
Have you tried automating GitHub contributions? Built an AI agent for open source? I'd love to hear your experience in the comments.
Follow along as I continue building and improving the system. Next week: How I integrated scam detection that caught a 21-PR scam ring on GitHub.
Word count: ~3,200 words
Top comments (0)