A Debian-based operating environment for authorized bug bounty and security research.
Bug bounty work should be scoped, auditable, evidence-first, and report-ready by default.
BugBountyOS treats the operating system as a workflow plane for the full research lifecycle:
Scope → Asset Graph → Input Map → Hypotheses → Validated Findings → Report Artifacts
This is not a generic pentesting distro. It is a structured operator environment designed to enforce research discipline at the OS level.
BugBountyOS is designed around a simple idea: tools don’t create outcomes — workflows do.
The OS should help you:
- prove authorization and scope at every step
- generate evidence as you work (not later)
- keep findings traceable and reproducible
- ship report-ready artifacts with minimal friction
Scope is not a note you remember — it’s an enforced constraint.
- Make scope explicit before recon begins
- Treat “out of scope” as a hard failure mode
- Record the scope source (program page, contract, email, ticket, etc.)
If it’s not captured, it didn’t happen.
- Prefer tooling and defaults that write to an evidence store automatically
- Preserve raw outputs (plus normalized summaries)
- Keep timestamps and provenance
More tools rarely means better results.
- Standardize the lifecycle and plug tools into it
- Keep a minimal set of opinionated defaults
- Prefer composable primitives over one-off “magic” wrappers
Operators make mistakes. Systems should reduce blast radius.
- Containment (namespaces, sandboxing, least privilege)
- Defaults that discourage risky actions
- Clear separation of “recon” vs “exploit-like” tooling
The goal is not “found something interesting.” The goal is “shipped a defensible report.”
- Findings map to evidence bundles
- Reproduction steps are standardized
- Outputs are exportable into common report formats
The canonical workflow is:
- Scope
- Asset Graph
- Input Map
- Hypotheses
- Validated Findings
- Report Artifacts
Scope
→ verify authorization + define targets
Asset Graph
→ enumerate hosts, apps, identities, dependencies
Input Map
→ endpoints, parameters, auth flows, attack surface
Hypotheses
→ “what could be true here?”
Validated Findings
→ reproduce + confirm impact + capture evidence
Report Artifacts
→ write-up + severity + remediation + attachments
- Scope Manifest: a machine-readable scope definition that travels with a workspace
- Workspace Layout: predictable folders for targets, logs, evidence, and reports
- Execution Model: commands run through wrappers that preserve outputs and metadata
- Evidence Store: raw + normalized artifacts with consistent naming
- Report Pipeline: convert evidence + findings into report-ready deliverables
workspaces/
<program-or-client>/
scope/
scope.yaml
notes.md
assets/
asset-graph.json
inventory.csv
inputs/
urls.txt
params.txt
auth.md
hypotheses/
backlog.md
findings/
<finding-id>-<short-name>/
evidence/
reproduction.md
impact.md
remediation.md
reports/
report.md
attachments/
logs/
commands.log
tool-output/
program:
name: Example Bug Bounty Program
source: https://example.com/program-scope
authorization:
type: bug_bounty
reference: "Program scope page URL or ticket ID"
in_scope:
domains:
- example.com
- api.example.com
ip_ranges:
- 203.0.113.0/24
out_of_scope:
domains:
- admin.example.com
notes:
- "No testing against production employee systems"
- "No social engineering"
rules:
rate_limit:
requests_per_second: 5
prohibited_actions:
- "Denial of service"
- "Physical attacks"bbos run -- workspace=acme -- command "nuclei -l inputs/urls.txt -o logs/tool-output/nuclei.txt"bbos tree -- workspace=acme > logs/workspace-tree.txtbbos scope validate -- workspace=acme| Category | Kali Linux | BugBountyOS |
|---|---|---|
| Primary goal | Broad pentesting / training distro | Bug bounty / security research workflow plane |
| Defaults | Tool availability | Evidence + auditability + report readiness |
| Structure | User-defined | Opinionated workspace + lifecycle |
| Scope enforcement | Manual / process | Manifest-driven + workflow gates (planned) |
| Output handling | Depends on operator | Capture-first wrappers + standardized artifacts |
| Reporting | External / manual | Built-in artifact pipeline (planned) |
- ISO build pipeline
- Base packages + operator ergonomics
- Standard workspace structure
- Scope manifest validation and gating
- Command wrapper that captures output, timestamp, and metadata
- Evidence bundle generation per finding
- Findings → report template export
- Attachment packaging and integrity checks
- Optional integrations (Notion, GitHub Issues, etc.)
This project is licensed under the MIT License. See the LICENSE file for details.