This is a submission for the GitHub Finish-Up-A-Thon Challenge
The Premise
What if the best way to "finish" an abandoned project isn't to revive your own — but to finish someone else's?
That's the question I asked myself when I saw the GitHub Finish-Up-A-Thon. I had 47 open pull requests across GitHub, most of them sitting in repos where other developers had abandoned their work. Issues filed months ago. Bounties unclaimed. Code reviewed but never merged.
So I did something unconventional: I built an AI agent that hunts for abandoned GitHub issues, writes fixes, submits PRs, and manages the entire review lifecycle — all autonomously.
In 72 hours, it submitted 47 PRs across 20+ repositories. 3 got merged. 1 was closed. The rest are waiting for human review.
This is the honest story of what happened — the wins, the failures, the architecture, and the brutal lessons about what it actually takes to contribute to open source at scale.
What I Built: ZKA (Zero Knowledge Agent)
ZKA is an autonomous bounty-hunting agent that runs 24/7 via cron jobs. It's not a script — it's a full system with memory, strategy, and learning capabilities.
The Architecture
┌──────────────┐
│ 1. SEARCH │ → GitHub API: find bounty issues, abandoned PRs
└──────┬───────┘
▼
┌──────────────┐
│ 2. EVALUATE │ → Check repo health, competition, difficulty
└──────┬───────┘
▼
┌──────────────┐
│ 3. WORK │ → Clone, fix, test, write PR description
└──────┬───────┘
▼
┌──────────────┐
│ 4. SUBMIT │ → gh pr create with proper template
└──────┬───────┘
▼
┌──────────────┐
│ 5. MONITOR │ → Track reviews, respond to feedback
└──────┬───────┘
▼
⬆️ LOOP BACK
The Tech Stack
- Runtime: Linux VM with 24/7 cron scheduling
- AI Model: Claude for code generation and analysis
-
CLI: GitHub CLI (
gh) for all GitHub interactions - Languages: Python for automation, TypeScript/JavaScript for fixes
- Storage: JSON logs for tracking, Markdown for documentation
Key Innovation: Patience Harvesting
The biggest lesson from building bounty-hunting agents: the public bounty market is fully saturated.
Fresh bounties get 8-158 attempts within hours. Racing to be first is a losing strategy. Instead, I developed what I call "patience harvesting":
- Find issues with multiple abandoned claims (14+ days stale)
- Wait for hunters to drop their work
- Submit a clean, tested PR when competition has evaporated
It's the opposite of what every other bounty hunter does. And it works.
The 72-Hour Results
PRs Submitted: 47
Here's the breakdown by category:
| Category | Count | Status |
|---|---|---|
| Security fixes (SSRF, XSS, auth) | 5 | All OPEN, MERGEABLE |
| Bug fixes (logic errors, crashes) | 12 | Most OPEN |
| Feature additions | 15 | Mixed |
| Documentation improvements | 8 | Most OPEN |
| Dependency updates | 7 | Mixed |
Merged: 3
- Aigen-Protocol #40 — Fixed a smart contract interaction bug
- HELPDESK.AI — 7 PRs merged (documentation, bug fixes)
- RustChain #6572 — Security fix for transaction handling
Closed: 1
One PR was closed because the repo turned out to be a scam (SecureBananaLabs/bug-bounty — 21 fake PRs, auto-generated issues). Lesson learned: always verify repo legitimacy before investing time.
Waiting for Review: 43
The majority of PRs are in the "waiting for human review" state. This is the reality of open source contribution — humans are slow, maintainers are busy, and patience is a virtue.
The PRs I'm Most Proud Of
1. SSRF Fix for GovTool (CVSS 9.1)
Repo: IntersectMBO/govtool-proposal-pillar
Issue: Unauthenticated SSRF proxy allowing server-side request forgery
Severity: CVSS 9.1 (Critical)
# Before: Unvalidated URL passed to proxy
@app.route('/proxy')
def proxy():
url = request.args.get('url')
return requests.get(url).content # SSRF vulnerability!
# After: URL validation with allowlist
@app.route('/proxy')
def proxy():
url = request.args.get('url')
if not is_safe_url(url):
abort(403)
return requests.get(url).content
This was a real security vulnerability in a Cardano governance tool. The fix adds URL validation with an allowlist of permitted domains.
2. Machine-Readable Bounty Index for RustChain
Repo: Scottcjn/rustchain-bounties
Issue: #12494 — No machine-readable way to track bounties
I built a Python script that:
- Parses all bounty issues from the repo
- Extracts reward amounts, categories, and difficulty levels
- Generates a
bounties.jsonfile - Auto-updates every 6 hours via GitHub Actions
This turned a manual process into an automated one.
3. Notification Center for MergeOS
Repo: mergeos-bounties/mergeos
Bounty: 5000 MRG tokens
Built a full notification center with:
- Click-to-mark-as-read functionality
- Keyboard accessibility (Enter/Space to toggle)
- Notification badge with unread count
- Responsive design
This addressed specific maintainer feedback from a previous PR attempt.
The Failures (Learning From Rejections)
1. The Scam Repo Trap
I submitted 8+ PRs to SecureBananaLabs/bug-bounty before realizing it was a scam. The "bounties" were fake. The issues were auto-generated. 21 other hunters had also been fooled.
Lesson: Always check repo legitimacy. Red flags:
- "Bounty" in repo name but no real activity
- Auto-generated issue patterns
- No real code in the repository
- All PRs closed without merge
2. The Race Condition
On popular bounties (RustChain, MergeOS), I was often the 5th-10th PR. The first well-written PR usually wins. Racing to be first with sloppy code is worse than being last with quality code.
Lesson: Quality over speed. Always.
3. The Vercel Deploy Issue
Every PR submitted from a fork shows "Authorization required to deploy" on Vercel. This isn't an error — it's a configuration issue on the owner's side. But it looks scary and can confuse reviewers.
Lesson: Don't panic. Code review (CodeRabbit, GitGuardian) still passes. The deploy authorization is the owner's responsibility.
The System Design (For the Technical Reader)
Bounty Discovery
# Search strategy (rotated daily)
queries = [
'gh search issues "bounty" --state open --sort created --limit 50',
'gh search issues "reward" --state open --limit 30',
'gh search issues "$" "fix" --state open --limit 20',
'gh search issues "good first issue" "bounty" --limit 20',
'gh search issues "help wanted" "bounty" --limit 20',
]
Competition Scoring
Each bounty gets a competition score:
- Low (< 3 comments) → HIGH priority
- Medium (3-10 comments) → MEDIUM priority
- High (> 10 comments) → LOW priority
Scam Detection
Before submitting, the system checks:
- Is the repo in the blacklist?
- Does it have real activity (merged PRs, releases)?
- Are the issues auto-generated?
- Do other hunters' PRs get merged?
PR Template
Every PR follows this template:
## Summary
Brief description of what this PR does.
## Changes
- List of specific changes made
## Testing
- How to test the changes
## Related Issues
Fixes #N
The Economics (Honest Numbers)
Revenue So Far: $0
Let me be completely transparent: I haven't earned a single dollar yet.
Here's why:
- Most PRs are still waiting for review
- Merged PRs (HELPDESK.AI, RustChain) were from repos that don't pay bounties
- The real bounties (MergeOS 5000 MRG, WarpSpeed $660-$960) need either:
- Maintainer approval (WarpSpeed signup required)
- User action (screenshots for MergeOS)
- Hardware access (Tenstorrent $5K-$10K)
The Real Value
But the value isn't zero. Here's what I've built:
- 47 open PRs across 20+ repositories
- 3 merged PRs proving the system works
- 17 published articles building an audience
- A reusable system that runs 24/7
The money will come. The infrastructure is already there.
What I Learned (72 Hours of Non-Stop Building)
1. Open Source Is Slow
Human maintainers take days to review PRs. Some never respond. This is normal. Patience isn't just a virtue — it's a requirement.
2. Quality Beats Speed
The fastest PR isn't the best PR. The best PR is the one that:
- Follows the repo's code style exactly
- Includes tests
- Has a clear description
- Links to the issue it fixes
3. AI Agents Need Guardrails
Without proper checks, an AI agent will:
- Submit PRs to scam repos
- Ignore existing PRs for the same issue
- Miss failing CI checks
- Skip reading the issue description
Every guardrail was added after a failure.
4. The Real Competition Isn't Other Hunters
It's apathy. Most bounties don't get claimed because:
- The issue is too hard
- The repo is too obscure
- The payout is too small
- Nobody cares enough
Finding the sweet spot — issues that are solvable, in active repos, with real payouts — is the actual skill.
5. Documentation Is Underrated
My most-merged PRs were documentation improvements. They're easier to review, less likely to break things, and maintainers love them.
What's Next
Short Term (This Week)
- Monitor all 47 PRs for review feedback
- Respond to any review comments within hours
- Submit 2-3 more PRs to high-value bounties
Medium Term (This Month)
- Get 10+ PRs merged
- Earn first bounty payment
- Publish 30+ articles on Dev.to
Long Term (This Year)
- Build a sustainable income from open source bounties
- Open-source the ZKA agent system
- Help others build their own bounty-hunting agents
Try It Yourself
If you want to build your own bounty-hunting agent, here's the minimum viable setup:
# 1. Install GitHub CLI
gh auth login
# 2. Search for bounties
gh search issues "bounty" --state open --limit 20
# 3. Pick one with low competition (< 3 comments)
# 4. Clone, fix, test
git clone https://github.com/{owner}/{repo}.git
cd {repo}
# ... make changes ...
# ... run tests ...
# 5. Submit PR
gh pr create --title "fix: {description}" --body "Fixes #{issue_number}"
The difference between a human and an agent? The agent does this 24/7 without sleeping.
Final Thoughts
The GitHub Finish-Up-A-Thon is about finishing abandoned work. I took that literally — I built a system that finishes other people's abandoned issues, one PR at a time.
Is it controversial? Yes. Is it effective? Mostly. Is it the future of open source contribution? Probably.
The 47 PRs I submitted this week are real code, solving real problems, in real repositories. Some will get merged. Some won't. But every single one makes the codebase a little bit better.
And that's what open source is about.
Want to follow the journey? I'm @zeroknowledge0x on Dev.to. I publish daily updates about AI agents, open source bounties, and the economics of automated contribution.
Have you tried using AI for open source contribution? I'd love to hear your story in the comments.
Top comments (0)