Automated reconnaissance and vulnerability scanning framework for bug bounty programs. The pipeline runs daily to discover new assets, monitor for infrastructure changes, and scan for newly published CVE templates — maximizing coverage while minimizing manual effort.
#!/bin/bash
# recon.sh - automated bug bounty recon pipeline
DOMAIN=$1
OUTDIR="./results/$DOMAIN/$(date +%Y%m%d)"
mkdir -p $OUTDIR
# Step 1: Subdomain enumeration
echo "[*] Enumerating subdomains..."
subfinder -d $DOMAIN -o $OUTDIR/subfinder.txt -silent
amass enum -passive -d $DOMAIN -o $OUTDIR/amass.txt
assetfinder --subs-only $DOMAIN > $OUTDIR/assetfinder.txt
cat $OUTDIR/*.txt | sort -u > $OUTDIR/all-subs.txt
# Step 2: Resolve and check live
echo "[*] Probing live hosts..."
cat $OUTDIR/all-subs.txt | httprobe -prefer-https > $OUTDIR/live.txt
echo "Live hosts: $(wc -l < $OUTDIR/live.txt)"
# Step 3: Screenshot all live hosts
gowitness file -f $OUTDIR/live.txt -P $OUTDIR/screenshots/ --delay 3
# Step 4: Vulnerability scanning with Nuclei
echo "[*] Running Nuclei scan..."
nuclei -l $OUTDIR/live.txt -t ~/nuclei-templates/cves/ -t ~/nuclei-templates/exposures/ -severity medium,high,critical -o $OUTDIR/nuclei-results.txt -silent
# Step 5: JS endpoint extraction
echo "[*] Extracting JS endpoints..."
getallurls $DOMAIN 2>/dev/null | grep "\.js$" | sort -u > $OUTDIR/js-files.txt
echo "[+] Recon complete. Results in $OUTDIR"All research is conducted only on programs with explicit written authorization. All findings are disclosed exclusively through official bug bounty channels (HackerOne, Bugcrowd) following responsible disclosure timelines. No exploitation beyond proof-of-concept demonstration.