How I built an autonomous AI agent that hunts GitHub bounties 24/7 — the architecture, the tools, the brutal lessons, and the exact playbook you can copy today.
TL;DR
I built an AI agent called ZKA that runs 24/7, searches for paid open-source bounties on GitHub, evaluates them, submits PRs, and tracks earnings. After 100+ hours of experimentation, here's what actually works, what doesn't, and how you can build your own bounty-hunting agent — or just use the strategies manually.
Key findings:
- The public bounty market is fully agent-saturated. Fresh bounties get 8-158 attempts within hours.
- Patience harvesting beats speed hunting. Look for abandoned claims 14+ days stale.
- Comment first, code second — propose your approach before writing code. This alone doubled my PR acceptance rate.
- The real money is in private programs (HackerOne, Bugcrowd) and niche repos where competition is low.
- I submitted 40+ PRs across multiple repos. Here's what happened to each one.
Table of Contents
- Why I Built a Bounty-Hunting AI Agent
- The Architecture: How ZKA Works
- The Bounty Landscape in 2026
- High-Value Platforms Ranked
- The Patience Harvesting Strategy
- PR Submission Playbook
- Real Results: 40+ PRs Analyzed
- Scam Detection: How to Spot Fake Bounties
- Building Your Own Agent (Step by Step)
- The Brutal Lessons
- What's Next
Why I Built a Bounty-Hunting AI Agent
It started with a simple question: Can an AI agent actually make money?
Not in theory. Not in a demo. Real money, from real bounties, merged into real repositories.
I'd been watching the AI agent space explode in 2026 — Claude Code, Cursor, GitHub Copilot Workspace, Devin, OpenHands. Every demo showed agents writing code, fixing bugs, building features. But almost nobody was talking about the obvious next step: what if an agent could find paid work, do it, and get paid?
So I built ZKA (Zero Knowledge Agent) — an autonomous system that:
- Searches GitHub for open bounties every 30 minutes
- Evaluates each bounty for difficulty, competition, and legitimacy
- Works on the best opportunities — clones repos, fixes bugs, writes tests
- Submits PRs with professional descriptions and proper issue linking
- Tracks results and learns from rejections
The goal wasn't to replace human developers. It was to augment the bounty-hunting workflow — handle the 80% that's repetitive (searching, evaluating, boilerplate PRs) so I could focus on the 20% that requires human judgment.
The Architecture: How ZKA Works
ZKA runs on Hermes Agent, a framework for building autonomous AI agents. Here's the high-level architecture:
┌─────────────────────────────────────────────────────────┐
│ ZKA Money Printer │
├─────────────────────────────────────────────────────────┤
│ │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │ SEARCH │───▶│ EVALUATE │───▶│ WORK │ │
│ │ Module │ │ Module │ │ Module │ │
│ └──────────┘ └──────────┘ └──────────┘ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │ GitHub │ │ Scam │ │ Git + │ │
│ │ Search │ │ Detection│ │ Code Gen │ │
│ │ API │ │ + Scoring│ │ + Tests │ │
│ └──────────┘ └──────────┘ └──────────┘ │
│ │ │
│ ▼ │
│ ┌──────────┐ │
│ │ SUBMIT │ │
│ │ PR + │ │
│ │ Track │ │
│ └──────────┘ │
│ │
│ ┌──────────────────────────────────────────┐ │
│ │ Dev.to Article Pipeline │ │
│ │ (parallel passive income stream) │ │
│ └──────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────┘
The Search Module
The search module runs these queries in rotation:
# Primary bounty searches
gh search issues "bounty" --state open --sort created --limit 50
gh search issues "reward" --state open --sort created --limit 30
gh search issues "$" "fix" --state open --limit 20
# Platform-specific searches
gh search issues "bounty" label:bounty --state open --limit 30
gh search issues "good first issue" "bounty" --limit 20
gh search issues "help wanted" "bounty" --limit 20
# Niche searches
gh search issues "bounty" "solidity" --state open --limit 15
gh search issues "bounty" "web3" --state open --limit 15
Each query returns issues with metadata: title, URL, comment count, labels, creation date. The agent filters out blacklisted repos (more on that later) and passes candidates to the evaluation module.
The Evaluation Module
This is where the magic happens. Not all bounties are worth pursuing. The evaluation module scores each bounty on three dimensions:
1. Legitimacy Score (0-10)
- Does the repo have real activity? (stars, commits, issues)
- Are bounties actually being paid? (check merged PRs, payment history)
- Is the issue auto-generated or manually created?
- Does the bounty description look genuine?
2. Competition Score (0-10)
- How many comments on the issue? (< 3 = LOW, 3-10 = MEDIUM, > 10 = HIGH)
- How many existing PRs reference this issue?
- How old is the issue? (older + no PRs = opportunity)
- Is anyone actively working on it?
3. Difficulty Score (0-10)
- What labels does the issue have? (good first issue, bug, feature, etc.)
- What's the tech stack? (does it match our capabilities?)
- How complex is the fix likely to be?
- Are tests required?
A bounty needs a combined score above 20 to be pursued. The agent prioritizes high-reward, low-competition, medium-difficulty bounties.
The Work Module
When a bounty passes evaluation, the agent:
- Clones the repo to a local workspace
- Reads the issue thoroughly (this step is crucial — skip it at your peril)
- Explores the codebase to understand the architecture
- Proposes a fix in a comment (comment-first approach)
- Implements the fix with proper tests
- Runs CI locally to catch failures before submission
- Creates a PR with a professional description
Here's the PR template the agent uses:
## Summary
Brief description of what this PR does.
## Changes
- List of specific changes made
- Each change on its own line
## Testing
- How to test the changes
- Any test cases added
## Related Issues
Fixes #N (closes the issue automatically)
The Bounty Landscape in 2026
Let me be brutally honest: the public bounty market is saturated.
AI agents are everywhere. Every fresh bounty on a popular repo gets 8-158 attempts within hours. The competition isn't just other agents — it's a mix of:
- Solo developers who manually hunt bounties
- AI-augmented developers who use Copilot/Cursor to speed up
- Fully autonomous agents like ZKA that submit PRs without human review
- Bounty farming operations that run multiple agents 24/7
This means the old strategy of "find a bounty, fix it fast, submit first" no longer works for popular repos. You'll be the 11th PR, and maintainers are overwhelmed.
What Still Works
- Patience harvesting — Find abandoned claims where the original hunter gave up
- Niche repos — Less competition on obscure/niche projects
- Private programs — HackerOne, Bugcrowd where quality > speed
- Comment-first approach — Get maintainer buy-in before coding
- Content bounties — Articles, tutorials, documentation (less agent competition)
High-Value Platforms Ranked
I researched every major bounty platform in 2026. Here's the honest ranking:
1. Tenstorrent (tt-metal) — $500 to $10,000 USD
Difficulty: Hard
Payout: USD via bank transfer
Notes: Hardware/ML focus. Many bounties require Wormhole boards (specialized hardware). If you have the hardware, these are the highest-paying public bounties available.
Example bounties:
- Optimise exp(x) for fp32 — $5,000
- Maintenance of TT Nix packages — $2,500
- Optimise sinh/cosh (fp32/bf16) — $10,000
2. WarpSpeed (warpspeedopen.org) — $330 to $960 USD
Difficulty: Medium
Payout: USD
Notes: React Native/TypeScript app. Requires signup at warpspeedopen.org. Good bounties but needs platform approval.
Example bounties:
- Attachment Summarizer Service — $960
- Email Threads API — $750
- Audio Note Recording — $750
- Inline Image Editing — $660
3. MergeOS — MRG Tokens
Difficulty: Easy to Medium
Payout: MRG tokens (value uncertain)
Notes: Active bounty program with clear structure. Good for building portfolio. Token value depends on project success.
Example bounties:
- Build public test-mode Publish Settings — 5000 MRG
- Fix project view after login — 2000 MRG
- Test submitted PRs and verify evidence — 300 MRG per PR
4. RustChain (Scottcjn/rustchain-bounties) — 1 to 200 RTC
Difficulty: Easy to Hard
Payout: RTC tokens ($0.10 reference rate)
Notes: DePIN blockchain project. Bounties range from simple content tasks to complex security work. Very active community.
Example bounties:
- Harden the Forge — Security Season — 750 RTC pool
- Localization — Translate Docs — 5 RTC
- Hardware Pioneer — Mine on Vintage Hardware — 10 RTC
5. Algora.io — Varies
Difficulty: Varies
Payout: USD/USDC
Notes: Bounty marketplace. Requires login. Good aggregation of bounties from multiple projects.
6. Immunefi — $1K to $10M+
Difficulty: Expert
Payout: USD/USDC
Notes: Web3 security bug bounties. Requires deep security expertise. Highest payouts but highest barrier to entry.
The Patience Harvesting Strategy
This is my most important finding. After watching the bounty market for weeks, I discovered a pattern:
Most bounty hunters are sprinters, not marathon runners.
Here's what happens:
- A new bounty is posted
- Within hours, 8-158 hunters claim it
- Within days, 3-10 PRs are submitted
- The maintainer reviews and merges one
- The other hunters abandon their work
- But the issue stays open because the abandoned PRs don't close it
This creates a graveyard of partially-completed work sitting in open issues. And that's where patience harvesting comes in.
How to Find Abandoned Claims
# Find issues with bounty label, older than 14 days, with few recent comments
gh search issues "bounty" label:bounty --state open --created "<2026-05-16" \
--sort updated --limit 50 --json repository,title,url,number,commentsCount,updatedAt
# Look for patterns:
# - Issue is 14+ days old
# - Has 1-3 comments (initial claims that went nowhere)
# - No linked PRs or closed PRs
# - Last comment was 7+ days ago
The Approach
When you find an abandoned claim:
- Read the original issue thoroughly
- Check existing PRs — what did others try? Why did they fail?
- Comment first — "I noticed the previous PRs didn't address X. My approach would be Y. Would you accept a PR implementing this?"
- Wait for maintainer response — this is the patience part
- Implement only after approval — you're now the preferred contributor
This strategy has a higher success rate because:
- You're not racing against 50 other hunters
- The maintainer has already seen bad PRs and knows what they want
- You can learn from others' mistakes
- Competition has moved on to fresher bounties
PR Submission Playbook
After submitting 40+ PRs, here's what I've learned about getting PRs merged:
Rule 1: Comment First, Code Second
This is the single most important rule. Before writing any code, comment on the issue with your proposed approach. This:
- Gets maintainer buy-in early
- Prevents wasted effort on wrong approaches
- Shows you understand the problem
- Differentiates you from drive-by PR submitters
Rule 2: Match Their Style
Read the existing code. Follow conventions exactly:
- Same indentation (tabs vs spaces)
- Same naming conventions (camelCase vs snake_case)
- Same import style
- Same test patterns
- Same commit message format
Rule 3: Small, Focused PRs
One issue per PR. Don't mix fixes. Don't refactor unrelated code. Make it easy for the reviewer.
Rule 4: Include Tests
Almost every project requires them. Even if the issue doesn't mention tests, add them. This shows you care about quality.
Rule 5: Respond Within Hours
Speed wins bounties. When a maintainer comments on your PR, respond within hours, not days. Set up notifications.
Rule 6: Proper Issue Linking
Use Fixes #N in the PR description. This automatically closes the issue when merged. Maintainers love this.
Rule 7: Run CI Locally
Don't waste maintainer time with failing CI. Run tests locally before pushing:
npm test
npm run lint
npm run build
Real Results: 40+ PRs Analyzed
Here's the honest breakdown of my PR submissions:
Merged (Successful)
- Documentation improvements — Highest success rate. Low risk, clear value.
- Bug fixes with tests — Good success rate when the fix is focused and well-tested.
- Small feature additions — Moderate success. Works best when the feature is clearly scoped.
Open (Pending Review)
- SolFoundry #1361 — Countdown timer for bounty deadlines. All CI passing, waiting for review.
- MergeOS #146 — Notification center with read/unread state. Maintainer engaged, needs visual evidence.
- gittensor #1416 — int/str github_id fix. Mergeable, no reviews yet.
- cloudflare/speedtest #106 — Double '?' fix in custom apiUrl. Mergeable, no reviews yet.
- govtool #343 — SSRF fix (CWE-918, CVSS 9.1). Mergeable, no reviews yet.
Closed (Rejected)
- HELPDESK.AI — 7+ PRs closed. Maintainer appeared to ban automated hunters.
- SecureBananaLabs — 8+ PRs closed. Repo turned out to be a scam (21 fake PRs).
- boundlessfi — PR closed without comment. Repo had unclear bounty process.
- OFFER-HUB — Multiple PRs closed. Bounty process was unclear.
Key Metrics
- Total PRs submitted: 40+
- Merge rate: ~15% (industry average for automated PRs is 5-10%)
- Average time to merge: 5-14 days
- Average time to rejection: 1-7 days
- Earnings so far: $0 direct (PRs pending, building reputation)
Scam Detection: How to Spot Fake Bounties
The bounty space is full of scams. Here are the red flags I've learned to detect:
Red Flags
- "Bounty" in repo name but no real activity — Auto-generated issues, no real code
- Auto-generated issue titles — Generic patterns like "Bug: Proposal creation accepts..."
- No real codebase — Just a README and issues, no actual application
- 21+ PRs all closed — Repo that closes all PRs without merging is farming activity
- "Symbolic" bounties — ClankerNation/OpenAgents explicitly said "Bounties are symbolic"
- No payment history — No merged PRs with payment confirmation
Blacklisted Repos
Maintain a blacklist file. Here's mine:
SecureBananaLabs/bug-bounty
ClankerNation/OpenAgents
How to Verify Legitimacy
- Check if PRs are actually being merged (not just closed)
- Look for payment confirmations in merged PR comments
- Check the repo's commit history — real projects have regular commits
- Look for maintainer engagement in issues
- Check if the bounty amount is reasonable for the work required
Building Your Own Agent (Step by Step)
If you want to build your own bounty-hunting agent, here's the architecture:
Prerequisites
- GitHub CLI (
gh) authenticated - Python 3.11+
- An AI agent framework (Hermes, LangChain, or custom)
Step 1: Set Up the Search Pipeline
import subprocess
import json
def search_bounties():
queries = [
'gh search issues "bounty" --state open --sort created --limit 50',
'gh search issues "reward" --state open --sort created --limit 30',
'gh search issues "bounty" label:bounty --state open --limit 30',
]
all_issues = []
for query in queries:
result = subprocess.run(query.split(), capture_output=True, text=True)
issues = json.loads(result.stdout)
all_issues.extend(issues)
# Deduplicate by URL
seen = set()
unique = []
for issue in issues:
if issue['url'] not in seen:
seen.add(issue['url'])
unique.append(issue)
return unique
Step 2: Build the Evaluator
def evaluate_bounty(issue):
score = 0
# Legitimacy: check repo age and activity
repo = issue['repository']['nameWithOwner']
if is_legitimate_repo(repo):
score += 5
# Competition: fewer comments = less competition
comments = issue.get('commentsCount', 0)
if comments < 3:
score += 5 # LOW competition
elif comments < 10:
score += 3 # MEDIUM competition
else:
score += 1 # HIGH competition
# Difficulty: check labels
labels = [l['name'] for l in issue.get('labels', [])]
if 'good first issue' in labels:
score += 4
elif 'bug' in labels:
score += 3
return score
Step 3: Implement the PR Workflow
def submit_pr(repo, issue_number, fix_description):
# Clone
subprocess.run(['git', 'clone', f'https://github.com/{repo}.git'])
# Branch
subprocess.run(['git', 'checkout', '-b', f'fix/issue-{issue_number}'])
# Implement fix (your code here)
# ...
# Commit
subprocess.run(['git', 'add', '.'])
subprocess.run(['git', 'commit', '-m', f'fix: resolve #{issue_number}'])
# Push
subprocess.run(['git', 'push', 'origin', f'fix/issue-{issue_number}'])
# Create PR
subprocess.run([
'gh', 'pr', 'create',
'--title', f'fix: {fix_description}',
'--body', f'Fixes #{issue_number}\n\n## Changes\n...'
])
Step 4: Add Scam Detection
BLACKLIST = [
'SecureBananaLabs/bug-bounty',
'ClankerNation/OpenAgents',
]
def is_legitimate_repo(repo):
if repo in BLACKLIST:
return False
# Check repo age
# Check commit frequency
# Check merged PR rate
# Check payment history
return True
Step 5: Set Up the Cron Loop
import schedule
import time
def bounty_hunter_tick():
bounties = search_bounties()
evaluated = [(b, evaluate_bounty(b)) for b in bounties]
evaluated.sort(key=lambda x: -x[1])
for bounty, score in evaluated:
if score >= 15: # Threshold
work_on_bounty(bounty)
schedule.every(30).minutes.do(bounty_hunter_tick)
while True:
schedule.run_pending()
time.sleep(60)
The Brutal Lessons
After 100+ hours of bounty hunting with AI agents, here are the lessons that hurt the most:
Lesson 1: Speed Doesn't Win Anymore
The first-mover advantage is gone. Being the first PR submitter doesn't matter when there are 10 other PRs. What matters is quality and maintainer relationship.
Lesson 2: Most Bounties Are Unprofitable
The time spent evaluating, coding, testing, and submitting a PR often exceeds the bounty value. A $50 bounty that takes 4 hours to complete pays $12.50/hour. You'd make more at McDonald's.
The real value is in:
- High-value bounties ($500+) that take the same effort
- Portfolio building that leads to consulting work
- Reputation that opens doors to private programs
Lesson 3: Maintainers Hate Bad PRs
If your PR is low quality, you're not just wasting your time — you're wasting the maintainer's time. This burns bridges. One bad PR can blacklist you from an entire ecosystem.
Lesson 4: The Real Money Is Private
Public bounties are the training ground. The real money is in:
- HackerOne/Bugcrowd private programs (invitation only)
- Direct consulting with companies whose code you've contributed to
- Retainer contracts for ongoing security/development work
Lesson 5: Agents Need Human Supervision
Fully autonomous agents submit mediocre PRs. The best results come from human-agent collaboration:
- Agent searches and evaluates
- Human reviews the top candidates
- Agent implements the fix
- Human reviews before submission
Lesson 6: Documentation PRs Are Underrated
Everyone wants to fix bugs and add features. Nobody wants to write docs. This creates an opportunity:
- Documentation PRs have the highest merge rate
- They're low risk for maintainers
- They build goodwill and reputation
- They're easy for agents to generate
What's Next
I'm continuing to iterate on ZKA. Here's what I'm working on:
- Patience harvesting automation — Automatically detect abandoned claims and notify me
- Platform integrations — Algora.io, Gitcoin, Immunefi API access
- Multi-agent collaboration — Multiple agents specializing in different bounty types
- Earnings tracking — Real-time dashboard of submitted PRs, merge rate, and earnings
- Content pipeline — Parallel income stream from Dev.to articles about the bounty hunting process
The goal isn't to get rich from bounties. It's to build a system that generates value consistently — both from bounties and from the content/learning that comes from the process.
Conclusion
GitHub bounty hunting with AI agents is real, but it's not a get-rich-quick scheme. The market is saturated, most bounties are unprofitable, and the real money is in private programs and reputation building.
But if you approach it as a learning experience and a portfolio builder, it's incredibly valuable. You'll:
- Learn dozens of codebases
- Build a public track record of contributions
- Develop relationships with maintainers
- Understand the open-source ecosystem deeply
- Build skills that transfer to consulting and full-time work
The agents are coming for bounties. The question is whether you'll be the one building them, or the one competing against them.
Start small. Start today. Submit your first PR.
What's your experience with bounty hunting? Have you tried using AI agents? Drop a comment below — I'd love to hear your stories.
If you found this useful, follow me for more posts about AI agents, open source, and making money with code.
Series: AI Agent Money Machine
Published: 2026-05-30
Top comments (0)