HackerOne bug bounty automation - parses scope CSVs, deploys parallel pentesting agents per asset, validates PoCs, and generates platform-ready submission reports.
skills/coordination/SKILL.md).validate-findings workflow per asset (authoritative submission gate). Generate HackerOne reports from the validated set ONLY — never submit a finding that is not VALID/REPAIRED.identifier — asset URL/domain.asset_type — URL, WILDCARD, API, CIDR.eligible_for_submission — must be true.max_severity — critical / high / medium / low.instruction — asset-specific notes.skills/hackerone/tools/csv_parser.py. Filter for eligible_for_submission=true.coordinator_role = Read("skills/coordination/SKILL.md")
Agent(prompt=f"{coordinator_role}\n\nTARGET: {asset_url}\nSCOPE: {program_guidelines}\nOUTPUT_DIR: ...",
run_in_background=True)
skills/coordination/SKILL.md and reference/role-matrix.md.poc.py (executable exploit), poc_output.txt (timestamped execution proof), manual repro steps, and evidence (screenshots / HTTP captures / video). This is the input the validator consumes.validate-findings workflow for that asset and submits ONLY findings it marks VALID or REPAIRED:v = Workflow(name="validate-findings", args={
"output_dir": asset_output_dir, # the coordinator's OUTPUT_DIR
"target": asset_url,
"business_tier": "revenue", # production/external bug-bounty scope; else "unknown"
"votes": 3, # adversarial refuters per finding (bounty = stricter)
"repair": True, # regenerate broken/absent PoCs so each finding has a runnable evidence script
"strict": True, # one failed gate => REJECTED
})
# v.counts -> {total, valid, repaired, rejected}; v.validated[] / v.rejected[]
# Verdicts at {asset_output_dir}/artifacts/validated/{id}.json (+ false-positives/).
# Asset report at {asset_output_dir}/reports/validation-report.md.
validate-findings is the authoritative gate because it directly preempts the most common HackerOne rejections: it verifies each CVE against NVD + a recomputed CVSS base score (from the vector) + CISA KEV + the vendor advisory, runs (and repairs) every PoC until it emits the evidence that proves the issue, recomputes the risk/severity, corroborates every claim against raw evidence, and kills false positives via adversarial refutation.validate-findings verdict is authoritative for submission. A REJECTED finding is a false positive — it never enters a submission, an appendix, or a count; its artifacts/false-positives/{id}.json is the sole record.skills/coordination/reference/validator-role.md).validate-findings recomputed from the vector and the risk bucket it assigned, not a hand-typed number.verification-script.py.evidence/validation/).skills/hackerone/tools/report_validator.py (complements the finding validation).OUTPUT_DIR (skills/coordination/reference/output-discipline.md) plus a per-asset reports/submissions/ containing the platform-ready markdown. validate-findings writes the verdicts under artifacts/validated|false-positives/ and the asset reports/validation-report.md.{OUTPUT_DIR}/
├── findings/
│ └── finding-NNN/evidence/validation/ # validate-findings proof packages
├── reports/
│ ├── submissions/ # built ONLY from artifacts/validated/
│ │ ├── H1_CRITICAL_001.md
│ │ └── H1_HIGH_001.md
│ ├── validation-report.md # validate-findings asset report
│ └── SUBMISSION_GUIDE.md
├── recon/
├── logs/
└── artifacts/
├── validated/ # {id}.json — submit these
└── false-positives/ # {id}.json — never submit these
validate-findings verdict = VALID or REPAIRED (artifacts/validated/{id}.json exists). Never submit a REJECTED finding.evidence/validation/cve-verification.md).poc_output.txt (the validator re-ran/repaired it and confirmed the evidence token).evidence/validation/risk-assessment.md).eligible_for_submission=true.| Rejection | Prevention |
|---|---|
| Out of Scope | Verify eligible_for_submission=true and asset-type match |
| Cannot Reproduce | validate-findings re-runs (and repairs) the PoC 3× and requires a vuln-class evidence token — only reproducible findings pass the gate |
| Duplicate | Search disclosed reports before submission; submit quickly |
| Insufficient Impact | Document realistic attack scenario; validate-findings recomputes risk/severity so the rating is defensible |
| Incorrect severity / CVSS | validate-findings recomputes the base score from the vector and cross-checks NVD + KEV; any mismatch is flagged before you submit |
skills/hackerone/tools/csv_parser.py — parse HackerOne scope CSVs.validate-findings workflow — authoritative per-asset finding validation (NVD/CVSS-math/KEV/exploit-run/repair/risk/adversarial). The submission gate; run once per asset.skills/hackerone/tools/report_validator.py — validate report format completeness (the 6 submission sections). Complements validate-findings (which validates the finding); run it on each report built from a validated finding.skills/coordination/SKILL.md — coordinator scaffold./hackerone <program_url_or_csv_path>