Bug Bounty Workbench

A smart workbench for bug bounty hunters — track targets, filter out duplicate findings before you waste time ▎ writing, and generate HackerOne-ready reports in one click.

Comment

Inspiration

As a professional security researcher, I audit mobile apps and smart contracts for bug bounties. The actual hacking is maybe 30% of the job. The rest is overhead: tracking which target has what finding, remembering if I already submitted something similar on a different platform, and formatting HackerOne reports that a triager will actually read. I've had findings closed as "Duplicate" or "Informational" not because they were wrong, but because I didn't frame them right — or worse, because 50 other researchers submitted the same low-hanging scanner output before me.

There's no tool purpose-built for this workflow. Researchers cobble together Notion pages, spreadsheets, and half-baked scripts. I wanted a single workbench that understands bug bounty specifically — not generic project management.

What it does

Bug Bounty Workbench is a full-stack project management tool built for bug bounty hunters. It covers the full lifecycle:

  • Target Dashboard: Add and manage bounty programs across HackerOne, Immunefi, Bugcrowd, and Intigriti. Each target shows finding count, highest severity, and last activity at a glance.
  • Finding Tracker: Log vulnerabilities with severity classification (Critical through Informational, color-coded), status workflow (Investigating → Writing → Submitted → Triaged → Bounty Awarded), CVSS scoring, and bounty amount tracking.
  • Duplicate Filter Checklist: The core differentiator. Select a vulnerability type (IDOR, business logic, race condition, crypto weakness, etc.) and the app presents 5 targeted questions specific to that type. Example — for IDOR: "Can you access ANOTHER USER'S data, or just your own via a direct ID?" "Did you test with two different accounts?" Each question gets a Pass/Fail/N/A. The system gives a verdict: clean to submit, needs more evidence, or likely duplicate. This encodes years of real H1 triage patterns.
  • Report Generator: Fill in finding details through a structured form, see live Markdown preview side-by-side, and export a HackerOne-formatted report. Includes a built-in quality checklist (is this detectable by scanners? did you include PoC evidence? is the impact specific to this business?).
  • Stats Dashboard: Severity breakdown, total bounty awarded, submitted vs. resolved ratio.

How we built it

Built entirely through MeDo — zero handwritten code. I structured the build into 7 distinct conversations:

  1. Phase 0: Auth + dark theme layout + sidebar navigation scaffold
  2. Phase 1: Target CRUD with card grid, platform badges, finding counts
  3. Phase 2: Finding tracker with severity badges, status workflow, filters, duplicate detection warnings
  4. Phase 3: Finding detail view with tabbed navigation (Overview / Duplicate Check / Report)
  5. Phase 4: Duplicate Filter Checklist — the full per-vulnerability-type checklist logic with pass/fail/verdict system
  6. Phase 5: Report Generator with Markdown preview, clipboard export, .md download
  7. Phase 6: Stats dashboard, import/export JSON backup, empty states, confirmation dialogs, toast notifications
  8. Phase 7: One-click deploy to public URL

Each phase was a single detailed prompt specifying data models, UI behavior, edge cases, and empty states. MeDo generated React + Tailwind frontend, Supabase backend with auth and database, and full API routes. I tested each phase end-to-end before proceeding to the next.

Challenges we ran into

The biggest challenge was prompt precision. When you describe a feature like "duplicate filter checklist" to an AI builder, you can't just say "add a checklist" — you need to specify the exact data structure (one checklist per vulnerability type, five questions each, three answer states, verdict logic with thresholds), the UI behavior (dynamic content swap when vulnerability type changes), and the integration points (checklist results save to finding, show warning icon on findings table).

I solved this by drafting prompts offline first, treating them like technical specs rather than casual descriptions. Each prompt included: data model fields, dropdown options, business rules, edge case behavior, and example output.

A smaller challenge: making sure the AI didn't over-engineer. Early on MeDo sometimes added features I hadn't asked for (like team collaboration). I learned to end prompts with explicit "out of scope" boundaries.

Accomplishments that we're proud of

The Duplicate Filter Checklist is the single feature I'm most proud of. It's not just CRUD — it's domain logic. I gave MeDo per-vulnerability-type checklists with actual triage criteria, and it built an interactive decision system that genuinely helps researchers avoid wasting time on low-value submissions. A researcher who's never submitted to H1 before could use this to self-screen their findings and dramatically improve acceptance rates.

I'm also proud of how complete the app is. It has proper auth, data isolation, empty states for every page, confirmation dialogs, toast notifications, JSON import/export, and error handling. This isn't a demo — it's something I'll actually use in my own workflow.

Finally: building all of this without writing a single line of code, in a single afternoon, via 7 structured conversations. That's the promise of AI-assisted development, delivered.

What we learned

  • Prompt crafting is a skill. The quality of the output is directly proportional to the specificity of the input. "Add a report generator" gets a textarea with an export button. "Add a split-pane report generator with live Markdown preview, H1 format template, quality checklist, copy-to-clipboard, and .md download" gets a polished feature.
  • Phased building beats one-shot prompts. Building in 7 small, verified increments was far more effective than trying to describe the entire app in one giant prompt. Each phase builds on a working foundation.
  • AI builders need constraints. Explicitly stating what's OUT of scope is as important as stating what's IN scope. Without guardrails, the AI sometimes adds features speculatively.
  • Security expertise translates to product thinking. My day-to-day experience with bug bounty triage patterns meant I could specify the Duplicate Filter with real authority — domain expertise is the moat, AI is the execution engine.

What's next for Bug Bounty Workbench

  • Platform API integrations: Auto-sync finding status from HackerOne/Immunefi APIs so submitted findings update automatically when triaged or awarded.
  • Hacktivity cross-reference: Before you write a report, the app checks H1 hacktivity for similar disclosed reports on the same target, giving you an instant "has this already been found?" signal.
  • Team / collaboration mode: Share targets and findings with other researchers on your team, with role-based access.
  • Custom checklist builder: Let users create and share their own Duplicate Filter checklists for niche vulnerability types.
  • Analytics dashboard: Track your own stats over time — acceptance rate, average time-to-triage, highest-paying vulnerability types.
  • Open-source the checklist data: The per-vulnerability-type checklist content could be a community-maintained knowledge base, like a "triage pattern library" that researchers collectively improve.

Quick Copy-Paste Summary

Field Answer
Project Name Bug Bounty Workbench
Category Work & Productivity
Elevator Pitch A smart workbench for bug bounty hunters — track targets, filter out duplicate findings before you waste time writing, and generate HackerOne-ready reports in one click.
Project URL https://app-bnkvlujsl79d.appmedo.com

Built With

Share this project:

Updates