Bug Bounty Reconnaissance Workflow

Overview

Successful bug bounty hunters need efficient reconnaissance workflows to maximize their time on actual vulnerability research. This tutorial shows you how to automate the reconnaissance phase using reNgine Cloud, allowing you to focus on finding and reporting high-impact vulnerabilities.

Step 1: Multi-Target Reconnaissance Setup

Most bug bounty programs have multiple in-scope domains. Set up parallel scanning for all targets to maximize coverage and discover cross-domain attack vectors.

POST /api/projects
{
  "name": "HackerOne Program: Acme Corp",
  "targets": [
    "acmecorp.com",
    "api.acmecorp.com",
    "app.acmecorp.com",
    "*.acmecorp.io"
  ],
  "scope": {
    "in_scope": ["*.acmecorp.com", "*.acmecorp.io"],
    "out_of_scope": ["status.acmecorp.com"]
  },
  "scan_config": "aggressive",
  "schedule": "daily"
}

Step 2: Configure 20+ Security Tools Integration

reNgine Cloud integrates with popular bug bounty tools to create a comprehensive reconnaissance pipeline. Enable the tools that match your hunting methodology.

Step 3: Use AI for Vulnerability Prioritization

AI-powered analysis helps you focus on the most promising findings. Configure LLM integration to automatically analyze potential vulnerabilities and prioritize by exploitability and impact.

POST /api/ai/analyze
{
  "scan_id": "scan_12345",
  "model": "gpt-4",
  "analysis_type": "vulnerability_prioritization",
  "criteria": {
    "impact": "high",
    "exploitability": "easy",
    "bounty_potential": true
  },
  "output_format": "ranked_list"
}

# Sample AI Response:
{
  "high_priority": [
    {
      "finding": "Subdomain takeover on old-staging.acmecorp.com",
      "severity": "high",
      "bounty_estimate": "$500-2000",
      "exploitation_complexity": "low",
      "recommendation": "Verify DNS configuration and test GitHub Pages takeover"
    }
  ]
}

Step 4: Track Historical Scan Data

Monitor program changes over time to identify new attack surface and previously unavailable targets. Historical tracking helps you be first to report on newly deployed infrastructure.

• New Subdomain Alerts: Get notified immediately when new assets are discovered
• Technology Changes: Track version upgrades that may introduce vulnerabilities
• Port Changes: Identify newly exposed services before other hunters
• Certificate Monitoring: Find subdomains via certificate transparency logs
• Diff Analysis: Compare current scan with previous to see exactly what changed

GET /api/scans/compare?scan1=123&scan2=124
GET /api/analytics/changes?project=acme&period=7days

Step 5: Export Reports for Bug Bounty Submissions

Generate professional reports with screenshots, reproduction steps, and impact analysis. Export in formats accepted by HackerOne, Bugcrowd, and other platforms.

GET /api/reports/export?scan=123&format=markdown&include=screenshots

# Example Markdown Output:
## Vulnerability: Subdomain Takeover

**Severity:** High (CVSS 7.5)
**Target:** old-staging.acmecorp.com
**Program:** Acme Corp Bug Bounty

### Description
The subdomain old-staging.acmecorp.com is vulnerable to takeover...

### Proof of Concept
1. Check DNS: `dig old-staging.acmecorp.com`
2. Verify CNAME points to unclaimed resource
3. Claim resource on third-party service
4. Demonstrate control with test page

### Impact
Attacker could host malicious content, phish users, steal cookies...

### Remediation
Remove DNS CNAME record or reclaim the third-party resource.