Skills

hunt-misc

Installation
SKILL.md

Crown Jewel Targets

Why this vuln class pays: MISC vulnerabilities span access control failures, information disclosure, session/auth logic bugs, and misconfiguration — the categories that consistently produce the highest payouts because they map directly to business impact: data exposure, account takeover, privilege escalation, and infrastructure compromise.

Highest-value targets:

  • SaaS platforms with role hierarchies (Shopify, GitHub, GitLab) — any boundary between owner/admin/staff/guest is a privilege escalation surface
  • Identity/auth flows — invitation links, password reset, SAML SSO, OAuth token scopes
  • Multi-tenant systems — one tenant touching another tenant's data
  • Internal APIs — LFS endpoints, pre-receive hooks, internal GraphQL/REST that assume caller is trusted
  • Domain/DNS management features — transfer controls, subdomain delegation
  • Token/credential management — PAT scopes, deploy keys, API tokens stored in config fields

Asset types that pay most:

  • Core product APIs (not marketing subdomains)
  • Enterprise/self-hosted editions (GitHub Enterprise, GitLab EE)
  • Partner/collaborator invitation systems
  • OAuth app integrations and webhook endpoints
Installs
33
Repository
elementalsouls/…ughunter
GitHub Stars
2.6K
First Seen
May 24, 2026
Security Audits
Gen Agent Trust HubPass
SocketWarn
SnykFail
hunt-misc — elementalsouls/claude-bughunter