Module SDD-03 — Bug Bounty Reference Stack

Bug Bounty Reference Stack

nmap, amass, httpx, nuclei, ffuf, Playwright, CVE enrichment — the canonical offensive tool registry, studied as schema-first harness wrappers.

60
minutes
8
artifacts
3
sub-sections
The seven canonical bug bounty tools, studied not as standalone CLIs but as harness tools. Each wraps with a JSON schema, a scope-validation hook, an output normalizer, and an untrusted tag. Together they produce the structured evidence chain that makes a finding submittable. This is the capability surface CAI (SDD-01) layers on top of.
Key Claims
Load-Bearing Claims

The bug bounty stack is a tool registry, not a pipeline. As a deterministic pipeline it is inflexible; as a registry under an agent loop (as in CAI), it is the offensive capability surface. The harness engineering job is the schema-first wrapper, not the orchestration script.

Scope validation must check resolved IPs, not just hostnames. An agent can construct a tool call with a hostname that resolves to an out-of-scope IP. A hostname-only check is a legal exposure. The validator's correctness is the control.

Playwright is the signal-vs-noise filter. nuclei and ffuf are stateless scanners that produce false positives. Playwright (stateful, DOM-aware) confirms whether a finding is real. Without it, the agent drowns in low-quality findings.

The evidence chain is the harness's product. A bug bounty program can reject a finding without repro steps. The chain (timestamp, scope tag, tool + params, output, severity) is the repro — what makes output submittable.

After This Module
01
Name the seven canonical bug bounty tools and the job each does in the offensive state machine.
02
Specify the schema-first wrapper for each tool: schema, scope hook, output normalization, untrusted tag.
03
Design the structured evidence chain that connects each tool output to a submittable finding.
04
Score the reference stack on the 12-module rubric (43/60) as a harness, not as individual tools.
05
Identify the three risk surfaces (scope, rate limiting, output normalization) to audit and harden first.
Artifacts