A comprehensive, battle-tested knowledge base for AI-assisted bug bounty hunting. Built from real-world security research on Matomo, Jetpack, WooCommerce, Shopware, Magento, and more — using AI agents (Hermes, Claude, MiMo) as collaborative partners.
Philosophy: "Don't focus only on Critical. Find anything submittable that earns money." — Every confirmed vulnerability is worth more than a theoretical one.
- Target selection strategies (paid programs, low-competition)
- Reconnaissance techniques (DNS, subdomains, SSL, Wayback, Google Dorks)
- PHP-specific audit patterns (WordPress SSRF, deserialization, SQL injection, Twig
|raw) - Systematic scan methodology (8 parallel vulnerability scans)
- CVSS scoring guide with common vectors
- HackerOne submission workflow with Signal requirements
- SSRF bypass techniques, GraphQL attacks, JWT attacks, exploit chaining
- Magento-specific audit patterns (unauthenticated API, GraphQL, deserialization)
- Jetpack/WooCommerce attack surface (blog token chain, Agentic Checkout)
- YesWeHack program discovery via API
Real vulnerability discoveries from active bug bounty programs:
| Project | Findings | Status |
|---|---|---|
| Matomo | SSRF via SiteContentDetector (VIEW access, weak blocklist) | Submitted to HackerOne |
| Matomo | Annotations XSS (stored cross-site scripting) | Analysis complete |
| Jetpack | 3 reports: Forms SSRF, External Media SSRF, Backup RCE (CVSS 9.8) | Submitted to HackerOne |
| WooCommerce | Agentic Checkout payment fraud (CVSS 8.2), blog token chain | Submitted to HackerOne |
| Shopware | Systemic SSRF — 8 components without validation ("Inconsistency Pattern") | 2 reports submitted |
| Magento | Attack surface analysis: 41 unauth endpoints, GraphQL, deserialization | Analysis complete |
- Inconsistency Pattern — SSRF protection exists in one component but not another (Shopware)
- Multi-Trigger Pattern — Find all endpoints sharing the same vulnerable function (Matomo)
- Blog Token Chain — Medium DB read → Critical RCE + payment fraud (Jetpack/WooCommerce)
- Blocklist Weakness — What's missing from host blocklists (Matomo)
- Legacy vs Modern — Old code paths bypass newer security controls
code-audit.sh— 19-scan automated source code audit (RCE, SQLi, SSRF, XSS, etc.)recon.sh— Automated reconnaissance (DNS, subdomains, SSL, headers, Wayback)
hackerone-submission-template.md— Report structure + CVSS quick reference
This knowledge base is designed to be loaded by AI coding agents:
- Clone the repo or reference it as context
- Ask the agent to audit a specific codebase
- The agent will follow the systematic methodology in SKILL.md
- Review findings, verify manually, submit reports
- Read
SKILL.mdfor comprehensive methodology - Check
references/program-status.mdbefore targeting a program - Use
scripts/code-audit.shfor automated scanning - Follow templates in
templates/for report formatting
- Matomo — HackerOne, PHP, up to $13K (Critical)
- Automattic (Jetpack/WooCommerce) — HackerOne, PHP, $250-$10K
- Adobe/Magento — HackerOne, PHP, $100-$15K (Tier 1-3)
- Shopware — Own submission form, EUR, PHP/Symfony
- YesWeHack — Indonesian programs: GoTo Financial ($7K), GOJEK ($5K), DANA ($3K)
This knowledge base is for authorized security research only:
- ✅ Analyzing publicly available source code
- ✅ Passive reconnaissance (DNS, headers, OSINT)
- ✅ Identifying vulnerability patterns and providing PoC templates
- ✅ Helping write and format bug reports
- ❌ Running destructive tests (DoS, data deletion)
- ❌ Exfiltrating real user data
- ❌ Disclosing vulnerabilities before patches
- ❌ Bypassing authentication without authorization
The most effective approach is pair-hunting:
- AI Agent: Clone repo, analyze source, identify vulns, generate PoC
- Human Researcher: Verify in local environment, capture evidence, submit report
- 17 files of curated security knowledge (~117KB)
- 5+ projects audited with real findings
- 8+ reports submitted to HackerOne
- Multiple proven techniques documented and reusable
- CVSS 9.8 highest severity finding (Jetpack Backup RCE)
MIT — Use freely for security research. Just don't be evil.
Built with ❤️ and AI assistance. Knowledge is power — use it responsibly.