AI that hunts bugs.
Writes the report.
You collect.
Open-source Claude Code plugin. Recon, twenty vuln classes, CVSS scoring, and a submission-ready report for HackerOne, Bugcrowd, Intigriti, and Immunefi. Runs in your terminal.
Three steps. One command. A report.
No dashboards. No signup. No SaaS bill. You run it inside Claude Code, point it at a target, and walk away.
Clone the repo, run the installer, you are ready. No SaaS signup. No keys to share.
Hand it a target. The tool pulls in-scope assets from HackerOne, Bugcrowd, Intigriti, YWH, and Immunefi.
Recon, scan, validate, write. CVSS scored. H1, Bugcrowd, Intigriti, or Immunefi format.
That is the entire workflow.
First finding in ten minutes.
From a clean Claude Code install to a report sitting in your H1 inbox.
Most of that time is the tool running.
Your hands-on time is under three minutes.
What it actually does.
Eight technical capabilities. No fluff. Every line is a feature that ships today.
Subdomain enum, DNS resolution, live host detection, URL crawling. Pulls in-scope assets via bbscope.
IDOR, SSRF, XSS, SQLi, RCE, OAuth, race conditions, GraphQL, SAML/SSO, CI/CD, and 10 more.
Set session once with --cookie, --bearer, or env vars. Every downstream tool carries it.
Built-in calculator. H1 uses 3.1, every other platform uses 4.0. Enforced automatically.
Templates for H1, Bugcrowd, Intigriti, Immunefi. Burp Suite style HTML also supported.
Persistent across sessions. Remembers every endpoint tested, feeds it back on the next run.
7-question gate + 4 validation gates. Auto-kills informational findings before submission.
Burp MCP for live browser traffic. HackerOne MCP for program intel. Missing tools are skipped, not errors.
Questions, answered.
Is it really free?
The open-source plugin on GitHub is free and will stay free. You only pay for your own Claude Code usage, which is the standard Anthropic API cost. No subscription, no signup, no credit card on this site.
What does it cost to run a hunt?
Depends on target size and scan depth. A typical small-to-medium target hunt sits in the low single-digit dollars of Claude API usage. Bigger enterprise scopes go higher. You control the budget by scoping the target.
Does it work with my existing Burp setup?
Yes. There is a Burp MCP integration. The tool reads your live browser traffic and uses it for auth-aware testing.
Will this get me banned from a program?
The tool respects scope and rate limits. Validation gates kill informational findings before submission. You are still responsible for staying inside program rules. Always read the program scope before running.
Does it submit reports automatically?
No. It writes the report and saves it locally. You review and submit yourself. That is by design.
Can I contribute?
Yes. The repo is MIT-licensed. PRs welcome. Roadmap, open issues, and contributor guide are all on GitHub.
What about the $BUG token?
The open-source tool is free regardless of the token. The token is for the hosted version of the autonomous agent that ships next. See the roadmap below.
Where this is going.
No dates. No quarters. Just direction.
What's next
- Open-source Claude Code plugin
- Manual hunt via hunt <target> command
- Twenty vuln classes, four platform report formats
- Persistent hunt memory across sessions
- Autonomous hunt agent. Set scope, walk away, review the queued report.
- End-to-end recon to validated submission. You approve, you submit.
- Hosted version with team workspaces
- Token-gated premium runs for high-volume hunters
- Webhook delivery to H1 and Bugcrowd workflow
About $BUG
Utility token for the hosted version of BugHunter.Fun. The open-source tool on GitHub is free and always will be. The token gates access to the hosted autonomous agent and team workspaces when those ship.
Skip the grunt work.
Start collecting.
Open source. Free. Runs in your terminal. Submission-ready reports for the four biggest bug bounty platforms.