security-bounty-hunter
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseSecurity Bounty Hunter
安全赏金猎人
Use this when the goal is practical vulnerability discovery for responsible disclosure or bounty submission, not a broad best-practices review.
当目标是为负责任披露或提交赏金申请进行实用漏洞挖掘,而非广泛的最佳实践审查时使用本指南。
When to Use
适用场景
- Scanning a repository for exploitable vulnerabilities
- Preparing a Huntr, HackerOne, or similar bounty submission
- Triage where the question is "does this actually pay?" rather than "is this theoretically unsafe?"
- 扫描代码仓库查找可利用漏洞
- 准备Huntr、HackerOne或类似平台的赏金提交材料
- 判定「这个漏洞真的能获得赏金吗?」而非「这个漏洞理论上是否不安全?」的分类场景
How It Works
工作原理
Bias toward remotely reachable, user-controlled attack paths and throw away patterns that platforms routinely reject as informative or out of scope.
优先关注可远程访问、受用户控制的攻击路径,排除那些平台通常会标记为提示性信息或超出范围的无效规则。
In-Scope Patterns
有效范围规则
These are the kinds of issues that consistently matter:
| Pattern | CWE | Typical impact |
|---|---|---|
| SSRF through user-controlled URLs | CWE-918 | internal network access, cloud metadata theft |
| Auth bypass in middleware or API guards | CWE-287 | unauthorized account or data access |
| Remote deserialization or upload-to-RCE paths | CWE-502 | code execution |
| SQL injection in reachable endpoints | CWE-89 | data exfiltration, auth bypass, data destruction |
| Command injection in request handlers | CWE-78 | code execution |
| Path traversal in file-serving paths | CWE-22 | arbitrary file read or write |
| Auto-triggered XSS | CWE-79 | session theft, admin compromise |
这些是始终具备价值的问题类型:
| 规则 | CWE | 典型影响 |
|---|---|---|
| 通过用户控制的URL触发的SSRF | CWE-918 | 内部网络访问、云元数据窃取 |
| 中间件或API防护中的身份认证绕过 | CWE-287 | 未授权访问账号或数据 |
| 远程反序列化或上传到RCE的路径 | CWE-502 | 代码执行 |
| 可访问端点中的SQL注入 | CWE-89 | 数据泄露、身份认证绕过、数据销毁 |
| 请求处理程序中的命令注入 | CWE-78 | 代码执行 |
| 文件服务路径中的路径遍历 | CWE-22 | 任意文件读/写 |
| 自动触发的XSS | CWE-79 | 会话窃取、管理员账号攻陷 |
Skip These
应忽略的情况
These are usually low-signal or out of bounty scope unless the program says otherwise:
- Local-only ,
pickle.loads, or equivalent with no remote pathtorch.load - or
eval()in CLI-only toolingexec() - on fully hardcoded commands
shell=True - Missing security headers by themselves
- Generic rate-limiting complaints without exploit impact
- Self-XSS requiring the victim to paste code manually
- CI/CD injection that is not part of the target program scope
- Demo, example, or test-only code
这些问题通常属于低价值信号或超出赏金范围,除非项目规则明确说明包含:
- 仅本地存在的、
pickle.loads或同等无远程访问路径的调用torch.load - 仅CLI工具中的或
eval()调用exec() - 完全硬编码命令中的配置
shell=True - 单纯缺少安全头的问题
- 无实际利用影响的泛泛的速率限制缺陷
- 需要受害者手动粘贴代码的Self-XSS
- 不属于目标项目范围的CI/CD注入
- 演示、示例或仅测试用途的代码
Workflow
工作流程
- Check scope first: program rules, SECURITY.md, disclosure channel, and exclusions.
- Find real entrypoints: HTTP handlers, uploads, background jobs, webhooks, parsers, and integration endpoints.
- Run static tooling where it helps, but treat it as triage input only.
- Read the real code path end to end.
- Prove user control reaches a meaningful sink.
- Confirm exploitability and impact with the smallest safe PoC possible.
- Check for duplicates before drafting a report.
- 首先确认范围:项目规则、SECURITY.md、披露渠道和排除项
- 查找真实入口点:HTTP处理程序、上传功能、后台任务、webhook、解析器和集成端点
- 在有帮助的情况下运行静态分析工具,但仅将其结果作为分类参考
- 从头到尾通读实际代码路径
- 证明用户控制的输入能到达有效风险点(sink)
- 用尽可能最小的安全PoC确认可利用性和影响
- 起草报告前检查是否有重复提交
Example Triage Loop
示例分类流程
bash
semgrep --config=auto --severity=ERROR --severity=WARNING --jsonThen manually filter:
- drop tests, demos, fixtures, vendored code
- drop local-only or non-reachable paths
- keep only findings with a clear network or user-controlled route
bash
semgrep --config=auto --severity=ERROR --severity=WARNING --json然后手动过滤:
- 排除测试代码、演示代码、测试数据、第三方依赖代码
- 排除仅本地或不可访问的路径
- 仅保留存在明确网络访问或用户控制路径的结果
Report Structure
报告结构
markdown
undefinedmarkdown
undefinedDescription
描述
[What the vulnerability is and why it matters]
[漏洞内容及危害说明]
Vulnerable Code
存在漏洞的代码
[File path, line range, and a small snippet]
[文件路径、行范围和小段代码片段]
Proof of Concept
概念验证(PoC)
[Minimal working request or script]
[最小可运行请求或脚本]
Impact
影响
[What the attacker can achieve]
[攻击者可实现的危害]
Affected Version
受影响版本
[Version, commit, or deployment target tested]
undefined[测试的版本、提交哈希或部署目标]
undefinedQuality Gate
质量准入标准
Before submitting:
- The code path is reachable from a real user or network boundary
- The input is genuinely user-controlled
- The sink is meaningful and exploitable
- The PoC works
- The issue is not already covered by an advisory, CVE, or open ticket
- The target is actually in scope for the bounty program
提交前确认:
- 代码路径可被真实用户或从网络边界访问
- 输入确实受用户控制
- 风险点(sink)有实际危害且可被利用
- PoC可运行
- 该问题未被现有安全公告、CVE或公开工单覆盖
- 目标确实属于赏金计划的有效范围