Skip to content

VictorStaflin/bountytxt-cli

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
cmd/securitytxt
cmd/securitytxt
 
 
internal
internal
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
bountytxt.exe
bountytxt.exe
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 

Repository files navigation

BountyTxt

Go Report Card License: MIT

BountyTxt CLI is a comprehensive tool for discovering, validating, and analyzing RFC 9116 security.txt files to find vulnerability disclosure contacts for domains.

The tool prioritizes legal and safe defaults, including HTTPS-only requests, honoring robots.txt, and avoiding unsolicited messages.

Features

  • Security.txt Discovery: Find security.txt files at standard locations (/.well-known/security.txt, /security.txt)
  • Comprehensive Validation: RFC 9116 compliance checking with detailed scoring and grading
  • Contact Extraction: Extract and validate contact information (emails, URLs, phone numbers)
  • Bug Bounty Analysis: Analyze bug bounty programs from security.txt and external sources
  • Subdomain Hunting: Discover security.txt files across subdomains
  • Bulk Processing: Process multiple domains from files or stdin
  • CI/CD Integration: Proper exit codes and structured logging for automated pipelines
  • Multiple Output Formats: Table, JSON, YAML, CSV, XML, SARIF
  • Export Capabilities: Export validation results and security.txt data

Installation

Pre-built Binaries

Download the latest release from the releases page.

From Source

git clone https://github.com/VictorStaflin/bountytxt-cli.git
cd bountytxt-cli
go build -o bountytxt ./cmd/securitytxt

Go Install

go install github.com/VictorStaflin/bountytxt-cli/cmd/securitytxt@latest

Quick Start

# Find security.txt for a domain
bountytxt find example.com

# Validate security.txt compliance
bountytxt verify example.com

# Extract contact information
bountytxt contacts example.com

# Hunt for security.txt across subdomains
bountytxt hunt example.com

# Analyze bug bounty programs
bountytxt bounty example.com

Commands

Core Commands

  • find - Discover security.txt files for a domain
  • verify - Validate security.txt files with RFC 9116 compliance checking
  • contacts - Extract and analyze contact information
  • bounty - Analyze bug bounty programs from security.txt and external sources

Advanced Commands

  • hunt - Hunt for security.txt files with subdomain enumeration
  • bulk - Process multiple domains from file or stdin
  • export - Export security.txt data in various formats (JSON, YAML, CSV, XML, SARIF)
  • programs - Search and list bug bounty programs
  • ci - CI/CD integration with proper exit codes and structured logging

Usage Examples

Basic Discovery

bountytxt find github.com

Validation with Scoring

bountytxt verify example.com --output json

Contact Analysis

bountytxt contacts example.com --validate-contacts --show-confidence

Subdomain Hunting

bountytxt hunt example.com --subdomains www,api,dev --include-wildcards

Bulk Processing

# From file
bountytxt bulk domains.txt --output jsonl

# From stdin
cat domains.txt | bountytxt bulk -

CI/CD Integration

bountytxt ci example.com --min-score 80 --fail-on error,warning --github-actions

Export Data

bountytxt export example.com --format sarif --output results.sarif
bountytxt export example.com --format json --include-validation --output security-data.json

Configuration

Create a configuration file at ~/.bountytxt.yaml:

output:
  format: table
  verbose: false
  quiet: false

timeout: 30s
max-redirects: 5
verify-tls: true
honor-robots: true
public-mode: true
user-agent: "bountytxt/1.0.0"
workers: 10
rate-limit: 5.0
rate-burst: 10

Output Formats

BountyTxt supports multiple output formats:

  • Table (default): Human-readable tabular output
  • JSON: Structured data for APIs and tools
  • JSONL: JSON Lines format for streaming
  • YAML: Human-readable configuration format
  • CSV: Spreadsheet and database import
  • XML: Enterprise system integration
  • SARIF: Static Analysis Results Interchange Format

Validation Scoring

BountyTxt provides comprehensive validation with scoring:

  • Score: 0-100 points based on compliance and best practices
  • Grade: A, B, C, D, F based on score ranges
  • Issues: Detailed validation issues with severity levels (error, warning, info)
  • Suggestions: Remediation recommendations for each issue

Safety & Ethics

BountyTxt is designed with security research ethics in mind:

  • HTTPS-Only: Enforces HTTPS for all requests by default
  • Robots.txt Respect: Honors robots.txt directives
  • Rate Limiting: Built-in rate limiting to avoid overwhelming servers
  • Public Mode: Restricts certain features for public safety
  • No Unsolicited Contact: Never sends unsolicited messages

Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

  1. Fork the repository
  2. Create your feature branch (git checkout -b feature/amazing-feature)
  3. Commit your changes (git commit -m 'Add some amazing feature')
  4. Push to the branch (git push origin feature/amazing-feature)
  5. Open a Pull Request

License

This project is licensed under the MIT License - see the LICENSE file for details.

Acknowledgments

  • Built with Cobra CLI framework
  • Uses Viper for configuration
  • Follows RFC 9116 security.txt specification
  • Inspired by the security research community's need for better tooling

Disclaimer

This tool is intended for security research and vulnerability disclosure purposes only. Users are responsible for complying with applicable laws and regulations. The maintainers are not responsible for misuse of this tool.

About

Security.txt (RFC 9116) discovery & grading across domains/subdomains—contacts + bug bounty intel, structured outputs (JSON/YAML/CSV/SARIF).

Topics

bugbounty security-scan

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

Bountytxt-cli Release Latest
Oct 21, 2025

Packages

 
 
 

Contributors

Languages