A new open-source bug bounty hunting toolkit called BugHunter, built on top of Anthropic’s Claude Code and now extended to support free AI providers like Ollama and Groq, is gaining traction in the security research community for automating the full vulnerability discovery and reporting pipeline.
Developed by security researcher Shuvon Md Shariar Shanaz and hosted at GitHub, BugHunter covers every phase of a bug bounty operation: subdomain enumeration, live host discovery, vulnerability testing across 20+ Web2 and 10 Web3 bug classes, finding validation via a 7-Question Gate, and submission-ready report generation for HackerOne, Bugcrowd, Intigriti, and Immunefi, all from a single terminal command.
Previously limited to users with a Claude Code or Claude Pro subscription, BugHunter now ships as a fully standalone CLI tool the bughunter command powered by free and low-cost AI providers. The update significantly lowers the barrier to entry for independent researchers. Free provider support includes:
- Ollama – fully offline, runs locally on the researcher’s machine at zero cost
- Groq – free cloud tier with very fast inference speeds
- DeepSeek – cloud-based at approximately $0.001 per 1,000 tokens
- Claude API / OpenAI – paid, for users who prefer Anthropic or OpenAI models
BugHunter auto-detects providers in priority order (Ollama → Groq → DeepSeek → Claude → OpenAI), defaulting to the most cost-efficient available option. Researchers can switch providers at any time via bughunter setup.
Once installed, the toolkit exposes a structured CLI that mirrors a professional bug bounty workflow:
textbughunter recon target.com # Attack surface mapping
bughunter hunt target.com # Multi-class vulnerability testing
bughunter validate "finding" # 7-Question Gate validation
bughunter report # Generates platform-specific submission
bughunter chat # Interactive AI hunting shellThe 7-Question Gate executed during the validate command is designed to eliminate weak or duplicate findings before a researcher wastes time on a submission. Internally, the toolkit orchestrates approximately 35 scanning tools including subfinder, httpx, nuclei, katana, ffuf, and dalfox, with missing tools skipped gracefully rather than causing hard errors.
One technically notable capability is cross-session memory persistence. BugHunter logs findings and discovered patterns to a JSONL-based memory store, allowing vulnerability patterns identified on one target to surface as context when testing a new one.
Session state is preserved across restarts, so researchers can resume interrupted hunts prioritizing untested endpoints via bughunter pickup target.com.
Beyond traditional web application testing, BugHunter includes a dedicated smart contract audit mode covering 10 vulnerability classes, including reentrancy, flash loan attacks, oracle manipulation, and proxy/upgrade flaws.
A token auditor module also scans for rug pull indicators, mint authority, LP lock status, honeypot detection, and bonding curve anomalies — relevant to Immunefi-style Web3 programs.
Nine specialized AI agents handle individual tasks within the pipeline: a recon agent, report writer, validator, Web3 auditor, chain builder, autopilot, recon ranker, token auditor, and credential hunter with built-in legal guardrails that hard-stop before any credential spraying activity.
The toolkit installs as a Claude Code plugin, a standalone CLI, or into alternative agent harnesses including OpenCode, Pi Agent, and Codex, making it one of the more versatile open-source offerings in AI-assisted bug bounty automation currently available on GitHub.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
