Star

README.

Bug Bounty Recon (bbrecon) is a Recon-as-a-Service for bug bounty hunters and security researchers. The API aims to provide a continuously up-to-date map of the Internet "safe harbor" attack surface, excluding out-of-scope targets.

It comes with an ergonomic CLI and Python library.

FEATURES (WIP).

Programs

Public bug bounty programs indexed and searchable with filters.

Endpoints

Continuous discovery of targets in scope for all programs.

Notifications

Monitor programs and get a webhook callback as soon as a new endpoint appears.

Private Programs

Support for private programs. POST your scope, get your results and configure notifications.

Highlights

Endpoints are tagged based on interesting properties, like tech stack or directory listings.

Dumps

Time series data dumps are available for researchers with more bespoke needs.

HACKER-FRIENDLY.

$ bbrecon get programs --type web --since last-month
SLUG        PLATFORM    CREATED     REWARDS     AVG.BOUNTY  TYPES cybrary     bugcrowd    2020-07-22  fame        $250        android,ios,web expressvpn  bugcrowd    2020-07-14  cash,fame   £1047       android,ios,web prestashop  yeswehack   2020-07-23  cash        $400        web
...

$ bbrecon get endpoints --since last-week \
                        --program uber \
                        --output json
[{
  "uri": "https://skynet-east.uber.com",
  "type": "web",
  "title": "Skynet",
  "server": "Apache/2.4.29 (Ubuntu)",
  "firstSeen": "2020-07-14T18:25:43Z",
...
}, ...]

$ bbrecon create alert --program transferwise \
                       --webhook https://my.slack.webhook/
Configured webhook for TransferWise: https://my.slack.webhook/
You'll receive alerts when new endpoints appear.

$ http GET \
  "api.bugbountyrecon.com/v0/endpoints?program_slug=uber" \
  X-API-KEY:$API_KEY | jq
[{
  "uri": "https://skynet-east.uber.com",
  "type": "web",
  "title": "Skynet",
  "server": "Apache/2.4.29 (Ubuntu)",
  "firstSeen": "2020-07-14T18:25:43Z",
...
}, ...]

$ python3

>>> from bbrecon import bbrecon

>>> bb = bbrecon("API_KEY")

>>> program = bb.program("uber")

>>> for endpoint in program.endpoints():
...     print(f"{endpoint.uri} {endpoint.server}")
https://skynet-east.uber.com Apache/2.4.29 (Ubuntu)
...

IMPORTANT NOTICE.

While effort is taken to ensure the results returned by bbrecon are reliable and trustworthy, this service and its operators are in no way responsible for what you do with the data provided.

Double-check your scopes and ensure you stay within safe harbors.

STATUS.

bbrecon is in a gradual Beta release phase; major features are released every few weeks to get feedback and fix kinks. You can sign up and start using it, but be aware that breaking changes may be deployed without notice. While the service and infrastructure is designed to scale, it is not currently configured to serve a large global audience. This will change, but for now YMMV.

ROADMAP.

GET STARTED.

Head over to the GitHub repo and follow the instructions to get an API key and install bbrecon.

HELP.

Please report bugs (pun intended) on the GitHub issues page.

For support or questions about service availability, please use the Gitter chat.