Bug Bounty Harness Engineering

Module S02 · Course 2A

90 min · Persistent Engagement Memory · Tool Suite · Evidence Chain · Triage Pipeline

Prerequisite: S00, S01

S02.1 — Persistent Engagement Memory

Bug bounty engagements span days/weeks. The context window is a session primitive, not a persistence mechanism. It compacts — discovered subdomains disappear.

Solution: a persistent target-state store (ChromaDB) with structured records: domains, subdomains, ports, services, endpoints, hypotheses, attempts, findings.

Vector store selection

StoreWhen
ChromaDBEngagement-scoped (<1M records). In-process. Most bug bounty harnesses.
QdrantProduction multi-target continuous monitoring. Horizontal scale.
LanceDBAnalytical queries over findings (aggregation, trends).

The accumulation problem

After a week of scanning: 50,000 records, half duplicates or stale. The harness spends more time managing memory than finding vulnerabilities.

Solution: structured dedup at write time — every write checks against existing records. Duplicates UPDATE, not INSERT.

Memory poisoning defense

If you write a deceptive target response into memory verbatim, poisoned data persists across sessions.

Defense: only structured summaries (from the Reader Model, S01.3) enter the store. Raw responses never written verbatim.

S02.2 — Bug Bounty Tool Suite

TierToolsPurpose
Reconnmap, amass, subfinder, httpx, nucleiDiscover the attack surface
Web appBurp headless, sqlmap, ffuf, gobusterTest web vulnerabilities
EvidencePlaywright, CVE lookup, CVSS calcCapture and enrich findings
ReportStructured finding generatorClient-ready output

The wrapping pattern

Every offensive tool follows 7 steps:

Model emits tool_use (Pydantic input)
Scope check (belt + suspenders)
Rate limiter (RoE caps)
Execute subprocess
Parse to structured output
Evidence logger (scope_ref stamp)
Structured ToolResult → model context

Three principles: idempotency, rate limiting as stealth control, scope checks in BOTH middleware and tool.

S02.3 — Evidence Chain Engineering

Every finding needs a reproducible, client-presentable trail. The evidence chain is your legal protection and the client's compliance requirement.

Schema: timestamp · trace_id · tool · tool_version · target · action · exact request/response · scope_ref (legal anchor) · CVSS draft · retention class.

Append-only, tamper-evident

Append-only
No overwriting. No individual deletion. Destruction is batch-level per retention policy.
Hash-chained
Each record includes hash of previous. Tamper → chain breaks → detectable.

S02.4 — Triage Pipeline

nuclei produces 200 raw findings. 15 are real. 3 are exploitable. 1 is worth reporting.

The harness's job is to triage, not dump raw output.

Raw → Dedup → Severity → Enrichment → Model-judged triage → Surface/Batch/Discard

Model-judged triage

A secondary LLM evaluates each finding for actual exploitability + scope relevance. Separate from the model that found it.

Prevents confirmation bias — the finder's enthusiasm doesn't bias the severity assessment.

Surface: critical/high, exploitable, in scope → notify now. Batch: medium/low → accumulate for report. Discard: FP/out-of-scope → log, don't surface.

Measuring triage

>90% / >80%

Precision / Recall targets against a labeled dataset (DVWA).

MetricMeaningBelow threshold
Precision <80%Too many FPs surfacedOperator buried in noise
Recall <70%Real vulns missedDangerous gaps

What you take into S03

The bug bounty harness is operational: persistent memory, wrapped tools, evidence chain, triage pipeline.

S03 extends this to full pentest and red team operations: kill chain state management, plan correction, the sandbox inversion problem, report generation.