bbscope is a powerful scope aggregation tool for all major bug bounty platforms:
Developed by sw33tLie, bbscope helps you efficiently collect and manage program scopes from the platforms where you're active. Whether you're hunting for domains, Android APKs, or binaries to reverse engineer, bbscope makes the process quick and simple.
Ensure you have a recent version of Go installed, then run:
go install github.com/sw33tLie/bbscope@latestEach supported platform requires specific authentication:
- HackerOne: Use your API token, available from H1 API Token Settings.
Note: The-u <username>flag is mandatory. - Bugcrowd: You have two options:
- Option 1: Supply your email, password, and OTP generation command. This allows bbscope to log in programmatically and obtain a valid token.
- Option 2: Manually log in through your browser and then provide the
_bugcrowd_sessioncookie value via the-t <YOUR_TOKEN>flag. (Both methods require 2FA; see below for additional details.)
- Intigriti: Generate a personal access token from Intigriti Personal Access Tokens.
- YesWeHack: Use a bearer token collected from API requests. (Requires 2FA, see below)
- Immunefi: No token is required.
Bugcrowd and YesWeHack require two-factor authentication to access authenticated endpoints. We recommend installing the following 2FA CLI tool:
go install rsc.io/2fa@latestOnce installed, configure it for Bugcrowd (adjust similarly for YesWeHack):
2fa -add bugcrowd
2fa key for bugcrowd: your_2fa_key_hereThen, supply the OTP automatically using the --otpcommand flag in your bbscope command:
--otpcommand "2fa bugcrowd"Replace "2fa bugcrowd" with "2fa yeswehack" as needed, or whatever name you gave to the 2FA code.
Please note that the --otpcommand flag simply runs a shell command to fetch the OTP, and it expects the OTP to be printed to stdout. You can use any other way to fetch the OTP, as long as it prints the OTP to stdout.
Invoke bbscope with the appropriate subcommand and flags:
bbscope (h1|bc|it|ywh|immunefi) -t <YOUR_TOKEN> [options]For a complete list of options, run:
bbscope --helpNote that subcommands have different options, so be sure to check the help for each subcommand for more information.
Get in-scope targets from bounty-based HackerOne programs:
bbscope h1 -t <YOUR_TOKEN> -u <YOUR_H1_USERNAME> -b -o tList Android APKs from your HackerOne programs:
bbscope h1 -t <YOUR_TOKEN> -u <YOUR_H1_USERNAME> -o t -c androidInclude descriptions and program URLs with your targets:
bbscope h1 -t <YOUR_TOKEN> -u <YOUR_H1_USERNAME> -o tdu -d ", "Retrieve URLs from private HackerOne programs:
bbscope h1 -t <YOUR_TOKEN> -u <YOUR_H1_USERNAME> -o u -p | sort -uList targets from private Bugcrowd programs that offer rewards, with automatic login:
bbscope bc -E <YOUR_EMAIL> -P "<YOUR_PASSWORD>" -b -p -o t --otpcommand "2fa bugcrowd"Similarly, you can use the -t <YOUR_TOKEN> flag to manually log in and supply the _bugcrowd_session cookie value:
bbscope bc -t <YOUR_TOKEN> -b -p -o tNote that the cookie value will expire after some minutes, so the first method is recommended.
Get targets and program URLs from all Intigriti programs, including out-of-scope elements:
bbscope it -t <YOUR_TOKEN> -o tu --oosRetrieve all available scope data from Immunefi:
bbscope immunefiBug bounty programs may not consistently categorize assets. When hunting for URLs with the -c url flag, consider also using -c all to ensure no relevant targets are missed.
Thanks to the following contributors: