Bug Bounty Recon (bbrecon) is a Recon-as-a-Service for bug bounty hunters and security researchers. The API aims to provide a continuously up-to-date map of the Internet "safe harbor" attack surface, excluding out-of-scope targets.
It comes with an ergonomic CLI and Python library.
Public bug bounty programs indexed and searchable with filters.
Continuous discovery of targets in scope for all programs.
Monitor programs and get a webhook callback as soon as a new endpoint appears.
Support for private programs. POST your scope, get your results and configure notifications.
Endpoints are tagged based on interesting properties, like tech stack or directory listings.
Time series data dumps are available for researchers with more bespoke needs.
$ bbrecon
get programs --type web --since last-month
SLUG PLATFORM CREATED REWARDS AVG.BOUNTY TYPES
cybrary bugcrowd 2020-07-22 fame $250 android,ios,web
expressvpn bugcrowd 2020-07-14 cash,fame £1047 android,ios,web
prestashop yeswehack 2020-07-23 cash $400 web
...
$ bbrecon
get endpoints --since last-week
\
--program
uber
\
--output
json
[{
"uri":
"https://skynet-east.uber.com",
"type":
"web",
"title":
"Skynet",
"server":
"Apache/2.4.29 (Ubuntu)",
"firstSeen":
"2020-07-14T18:25:43Z",
...
}, ...]
$ bbrecon
create alert --program transferwise
\
--webhook
https://my.slack.webhook/
Configured webhook for TransferWise: https://my.slack.webhook/
You'll receive alerts when new endpoints appear.
$ http
GET \
"api.bugbountyrecon.com/v0/endpoints?program_slug=uber"
\
X-API-KEY:$API_KEY |
jq
[{
"uri":
"https://skynet-east.uber.com",
"type":
"web",
"title":
"Skynet",
"server":
"Apache/2.4.29 (Ubuntu)",
"firstSeen":
"2020-07-14T18:25:43Z",
...
}, ...]
$ python3
>>> from bbrecon import bbrecon
>>> bb = bbrecon("API_KEY")
>>> program = bb.program("uber")
>>> for endpoint in program.endpoints():
... print(f"{endpoint.uri}
{endpoint.server}")
https://skynet-east.uber.com Apache/2.4.29 (Ubuntu)
...
While effort is taken to ensure the results returned by bbrecon are reliable and trustworthy, this service and its operators are in no way responsible for what you do with the data provided.
Double-check your scopes and ensure you stay within safe harbors.
bbrecon is in a gradual Beta release phase; major features are released every few weeks to get feedback and fix kinks. You can sign up and start using it, but be aware that breaking changes may be deployed without notice. While the service and infrastructure is designed to scale, it is not currently configured to serve a large global audience. This will change, but for now YMMV.
Head over to the GitHub repo and follow the instructions to get an API key and install bbrecon.
Please report bugs (pun intended) on the GitHub issues page.
For support or questions about service availability, please use the Gitter chat.