Find friends, share ideas, and start discussions with pro bug bounty hunters and software developers/engineers. Join the bb-huge Discord Server
/bb-hugeβ one command. Multi-Domain Security Expert, loaded. Not a portal. A Context Engineering Architecture that converts your AI agent into a disciplined hunter across Web, Mobile, Binary, and Source Code with a single slash command. The web UI is the visible tip β the real power is the 350+ curated security skills injected into the agent's brain.
 |
 |
|
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β YOUR AI AGENT β
β (gemini-cli / claude-code / codex / emmu / any MCP client) β
ββββββββββββ¬ββββββββββββββββββββββββββββββββββββββ¬βββββββββββββ
β "/bb-huge" β "find bugs on
β triggers skill β example.apk"
βΌ βΌ
ββββββββββββββββββββββββββββ ββββββββββββββββββββββββββββββββ
β SKILL.md β β MCP stdio Server β
β β’ Multi-Domain Persona β β β’ 35+ tools (CRUD + stats) β
β β’ 7 SOPs loaded βββββΊβ β’ stdio transport β
β β’ Field Dispatch system β β β’ stateless, fast β
β β’ 350+ Curated Skills β β β’ any agent, same API β
ββββββββββββ¬ββββββββββββββββ ββββββββββββ¬ββββββββββββββββββββ
β β
βΌ βΌ
ββββββββββββββββββββββββββββ ββββββββββββββββββββββββββββββββ
β references/ (12+ files) β β PORTAL (Flask + SQLite) β
β β’ Mobile Methodology β β β’ Dashboard (Field Grouping)β
β β’ Binary Analysis β β β’ Findings CRUD (4 domains) β
β β’ Source Code Audit β β β’ Programs + Auto-Summary β
β β’ Field-routed Templatesβ β β’ Observations/Hypotheses β
β β’ Recon, Standards β β β’ Evidence pipeline β
β β’ Eligible Vulns β β β’ Assets & Endpoints β
ββββββββββββββββββββββββββββ β β’ REST API β
β β’ Webhooks (Discord/TG) β
ββββββββββββββββββββββββββββββββ
Two systems, one interface. The skill layer gives the agent domain-specific knowledge & discipline. The portal layer gives it persistent multi-field memory. They communicate through MCP.
bb-huge captures bug bounty work at every confidence level, from vague suspicion to confirmed payout:
Observation ββpromoteβββΊ Hypothesis ββpromoteβββΊ Finding
(signal) (candidate) (confirmed)
Each step preserves provenance β a promoted finding keeps a link back to the hypothesis and observation it came from, along with the evidence that supports it.
Every bug hunter has the same problem: context resets to zero every session.
You spend 30 minutes re-reading your own notes, re-downloading attachments, trying to remember where you left off. Between sessions, you forget the half-baked hypothesis, the endpoint you were about to fuzz, the parameter that looked interesting.
bb-huge fixes this at the architectural level:
| Problem | How bb-huge solves it |
|---|---|
| Agent forgets between sessions | Portal stores everything β findings, notes, attachments, evidence |
| You forget hunches and half-baked ideas | Observations & Hypotheses capture signals before they're findings |
| Losing evidence between sessions | Structured evidence records (Frida logs, disassembly, code snippets) |
| Disorganized attack surface | Assets & Endpoints track domains, APKs, binaries, and repos |
| One field only (Web) | Multi-Field support for Mobile, Binary, and Source Code Audit |
| You forget the methodology | Skill injects Multi-Domain Expert SOPs into every new session |
| You waste time on setup | /bb-huge command boots everything in one call |
| Testing blind β no context | Auto-Summarization Protocol identifies tech stack automatically |
| Limited expert knowledge | 350+ Curated Security Skills injected into the agent's brain |
| Writing reports is painful | Field-routed report templates for every domain |
bb-huge now comes bundled with a massive collection of 350+ community-sourced security skills, organized into 14 categories. This turns your AI agent into a polymath expert.
- Web Security: XSS, SQLi, SSRF, JWT, GraphQL, WebSmuggling, etc.
- Mobile: Android/iOS static & dynamic analysis, Frida, Deep Links.
- Binary: Reverse engineering, Heap exploits, ROP, Ghidra/GDB SOPs.
- Cloud/K8s: AWS, Azure, Docker escapes, RBAC misconfigs.
- Offensive OSINT: Recon, Shodan, Subdomain discovery.
- AI Security: Prompt injection, RAG poisoning, Model inversion.
Browse the collection: skills/curated/MANIFEST.md
When you type the command, the agent's brain gets injected with:
graph TB
C["/bb-huge command"] --> SKILL[SKILL.md]
SKILL --> SOP1["SOP-1: New Target<br/>Onboarding + Field Setup"]
SKILL --> SOP2["SOP-2: Vulnerability Found<br/>Field-aware evidence pipeline"]
SKILL --> SOP5["SOP-5: Pre-Hunt Q&A<br/>Domain-specific context"]
SKILL --> SOP6["SOP-6: Report Prep<br/>Field-routed templates"]
SKILL --> ASP["Auto-Summarization<br/>Tech stack identification"]
SKILL --> DIS["Field Dispatch<br/>Methodology routing"]
SKILL --> MCP["35+ MCP Tools<br/>Field filtering, Stats,<br/>Multi-domain CRUD"]
SKILL --> CUR["350+ Curated Skills<br/>Community knowledge"]
SKILL --> REFS["Reference Library"]
REFS --> METH["Methodologies<br/>Mobile, Binary, Source"]
REFS --> TEMP["Report Templates<br/>Field-routed index"]
style C fill:#4a9,color:#fff
style SKILL fill:#67b,color:#fff
style MCP fill:#956,color:#fff
style CUR fill:#c44,color:#fff
style REFS fill:#567,color:#fff
~3,000+ lines of specialized knowledge β every session. The reference library and curated skills are lazy-loaded (you only pull what you need), but the core dispatch system is always active.
π Set up bb-huge right now
git clone https://github.com/ShulkwiSEC/bb-huge.git
cd bb-huge
cp .env.example .env
# Edit .env β set SECRET_KEY and DEV_KEYpython -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
python run.pydocker compose up -dOpen http://localhost:5000 β enter your DEV_KEY.
π€ Connect my AI agent to bb-huge
The MCP server (mcp_server.py) uses stdio transport. Any MCP-compatible agent connects in seconds.
Add to .gemini/settings.json (project or global):
{
"mcpServers": {
"bb-huge": {
"command": "python",
"args": ["/absolute/path/to/bb-huge/mcp_server.py"],
"env": {
"DEV_KEY": "your-dev-key",
"BB_HUGE_URL": "http://127.0.0.1:5000"
}
}
}
}Add to claude_desktop_config.json:
{
"mcpServers": {
"bb-huge": {
"command": "python",
"args": ["/absolute/path/to/bb-huge/mcp_server.py"],
"env": {
"DEV_KEY": "your-dev-key",
"BB_HUGE_URL": "http://127.0.0.1:5000"
}
}
}
}See mcp_config_examples.txt for codex, emmu, and other agents.
π§ Load the Senior Bug Hunter skill
Copy the skill into your agent's skill directory:
cp -r skills/bb-huge ~/.gemini/skills/
# Project-local also works: .gemini/skills/bb-huge/Now every time you type /bb-huge, the agent loads:
- Senior Bug Hunter persona with capture-first discipline
- 7 Standard Operating Procedures (SOP-0 through SOP-6)
- Full tool reference & severity/status guides
- 7 reference files covering methodology, recon, scope, reports, and scheduled missions
- 30+ MCP tools wired to your portal
The agent doesn't just "know about" bug bounty. It becomes a bug bounty hunter.
After typing /bb-huge, the agent will acknowledge the injected methodology and prep the session.
| Terminal / Text Output | Agent SOP Execution |
|---|---|
π΅ bb-huge skill loaded β Senior Bug Hunter mode active π Portal: 42 findings, 5 programs, 3 open observations π Resuming last session: finding #17 β What target are we working on today? |
|
If the agent does NOT acknowledge loading, does NOT run the Session Initialization Protocol, or seems confused β run the theory quiz.
π Log a finding immediately
From your agent:
bb_create_finding(title="IDOR on /api/users", target="api.example.com", severity="high")
That's it. The MCP server routes it to the portal. No browser, no forms, no friction.
The skill's #1 rule: capture first, enrich later. A thin entry now beats a perfect entry that never gets written. Fill in CWE, CVSS, PoC, and description as evidence accumulates.
graph LR
A["Vulnerability Spotted"] --> B["bb_create_finding<br/>(status: discovered)"]
B --> C["bb_upload_attachment<br/>(evidence files)"]
C --> D["bb_update_finding<br/>(append PoC)"]
D --> E["bb_update_status<br/>(confirmed)"]
E --> F["bb_update_status<br/>(reported π―)"]
F --> G["bb_update_status<br/>(rewarded π°)"]
style A fill:#c44,color:#fff
style G fill:#4a4,color:#fff
π Search and review findings
# From terminal (CLI script)
python skills/bb-huge/scripts/bb.py list --severity critical --status confirmed
# From agent
bb_list_findings(q="xss", severity="high")
# Get full detail
bb_get_finding(id=42)Or open the web UI: http://localhost:5000/findings β filter by severity, status, agent, platform. Full-text search. CSV export.
π See my stats at a glance
# From agent
bb_get_stats()
# From terminal
python skills/bb-huge/scripts/bb.py statsReturns totals by severity, status, and agent. The dashboard also renders bar charts for each dimension.
π Attach evidence to a finding
# From agent
bb_upload_attachment(id=42, file_path="./burp_request.txt")
# From terminal
python skills/bb-huge/scripts/bb-dump-attachments.py 42Both scripts pull auth from environment variables (BB_HUGE_URL, DEV_KEY). No credentials hardcoded.
π Resume work on a previous finding
SOP-3 handles this. The agent:
bb_get_finding(42)β reads current state, linked hypothesis & evidencebb_generate_report_context(42)β gets evidence summary, unresolved gapspython scripts/bb-dump-attachments.py 42β pulls all attachments to local disk- Reads every attachment to restore full context
- Gives you a one-paragraph summary of where things stand
Zero context loss between sessions. Even between different agents.
π¬ Get notified when things happen
The portal supports Discord and Telegram webhooks. Configure in Settings β Webhooks.
The agent can notify on any event:
bb_notify(event="finding.confirmed", payload={"title": "RCE on admin panel", "message": "Go write the report!"})Webhooks fire automatically on create/status-change if configured.
π Track multiple programs
Programs are first-class citizens. Each program tracks:
- Platform (HackerOne, Bugcrowd, Intigriti, private)
- Scope rules (in-scope / out-of-scope)
- Findings, observations, hypotheses linked to it
- Assets (domains, subdomains, API hosts, mobile apps, repos)
- Endpoints (URL paths with method, protocol, auth info)
- Recon entries (subdomains, technologies, parameters, credentials)
bb_create_program(name="Acme Corp", platform="HackerOne")
bb_add_recon(program_id=1, category="subdomain", value="admin.acme.com", source="subfinder")
bb_list_programs()π Use the REST API directly
All endpoints require X-Dev-Key header.
# Stats
GET /api/v1/stats
# Enums
GET /api/v1/enums
# Findings
GET /api/v1/findings?q=&severity=&status=&agent=&limit=&offset=
POST /api/v1/findings
GET /api/v1/findings/<id>
PATCH /api/v1/findings/<id>
DELETE /api/v1/findings/<id>
PATCH /api/v1/findings/<id>/status
POST /api/v1/findings/<id>/notes
DELETE /api/v1/notes/<id>
POST /api/v1/findings/<id>/attachments
GET /api/v1/findings/<id>/report-pack
GET /api/v1/findings/similar?target=&cwe=&title=
PATCH /api/v1/findings/bulk/status
# Programs
GET /api/v1/programs
POST /api/v1/programs
GET /api/v1/programs/<id>
PATCH /api/v1/programs/<id>
DELETE /api/v1/programs/<id>
GET /api/v1/programs/<id>/context
PUT /api/v1/programs/<id>/context
GET /api/v1/programs/<id>/brief
# Recon
GET /api/v1/programs/<id>/recon
POST /api/v1/programs/<id>/recon
DELETE /api/v1/recon/<id>
# Observations
GET /api/v1/programs/<id>/observations
POST /api/v1/programs/<id>/observations
GET /api/v1/observations/<id>
PATCH /api/v1/observations/<id>
POST /api/v1/observations/<id>/promote
# Hypotheses
GET /api/v1/programs/<id>/hypotheses
POST /api/v1/programs/<id>/hypotheses
GET /api/v1/hypotheses/<id>
PATCH /api/v1/hypotheses/<id>
POST /api/v1/hypotheses/<id>/promote
# Evidence
GET /api/v1/programs/<id>/evidence
POST /api/v1/evidence
GET /api/v1/evidence/<id>
PATCH /api/v1/evidence/<id>
# Assets
GET /api/v1/programs/<id>/assets
POST /api/v1/programs/<id>/assets
PATCH /api/v1/assets/<id>
DELETE /api/v1/assets/<id>
# Endpoints
GET /api/v1/assets/<id>/endpoints
POST /api/v1/assets/<id>/endpoints
PATCH /api/v1/endpoints/<id>
DELETE /api/v1/endpoints/<id>
# Notifications
POST /api/v1/notify
# Similarity check
POST /api/v1/similarity/check
Example:
curl -X POST http://localhost:5000/api/v1/findings \
-H "X-Dev-Key: your-dev-key" \
-H "Content-Type: application/json" \
-d '{"title":"Reflected XSS in search","target":"app.example.com","severity":"high","cwe":"CWE-79","cvss":7.2}'π§ͺ Run the Theory Quiz (test your agent)
After loading /bb-huge, run the Theory Quiz to verify
your agent fully understands the skill. 10 questions covering architecture,
SOPs, tools, and workflow.
Pass threshold: 9/10 correct = agent is production-ready. Fail? Open an issue with the agent's output and question number.
π Run bb-huge automatically on a schedule
Because of the SOP-0 scheduled mission protocol, you can easily run your agent fully hands-free on an hourly or daily basis. The agent will read its constraints from im-scheduled.md and execute without human input.
If your agent's UI already has a built-in task scheduler (like OpenCode), simply configure your time interval and paste this exact prompt into the task configuration:
/bb-huge This is a scheduled mission. Follow SOP-0 and execute.
If you are using CLI agents, open your crontab (crontab -e) and add this line to run it at the top of every hour. Adjust the paths to your specific CLI tool and log directory.
0 * * * * echo "/bb-huge This is a scheduled mission. Follow SOP-0 and execute." | opencode >> ~/.opencode/logs/bb-huge-hourly.log 2>&1
- Create a simple PowerShell script (e.g.,
hourly-hunt.ps1):
" /bb-huge This is a scheduled mission. Follow SOP-0 and execute." | opencode | Out-File -FilePath "$HOME\bb-huge-hourly.log" -Append
- Open Task Scheduler, click Create Task.
- Set Trigger: Daily, and check Repeat task every: 1 hour.
- Set Action: Start a program, type
powershell.exe, and add the argument-ExecutionPolicy Bypass -File C:\path\to\hourly-hunt.ps1.
(Note: Replace opencode with whichever CLI agent you are using).
π§ͺ Test MCP manually
echo '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{}}' | \
DEV_KEY=your-dev-key python mcp_server.pyExpect a JSON-RPC response with server capabilities. You can then pipe tools/list and tools/call messages.
π³ Run everything in Docker
docker compose up -dThat's the whole command. The Dockerfile + docker-compose.yml handle the rest. Portal on :5000, ready to connect.
bb-huge/
βββ app/
β βββ __init__.py # Flask app factory
β βββ models.py # 11 models: Finding, Attachment, Program,
β β # ReconEntry, Note, WebhookConfig,
β β # TargetContext, Observation, Hypothesis,
β β # EvidenceRecord, Asset, Endpoint
β βββ migrations.py # Schema migration functions
β βββ routes/
β β βββ auth.py # Login / logout
β β βββ findings.py # Web UI: CRUD, upload, CSV, report-pack
β β βββ api.py # REST API (45+ endpoints)
β β βββ programs.py # Program management + observations,
β β β # hypotheses, evidence, assets, recon
β β βββ settings.py # Webhooks, notes
β βββ utils.py # File validation, webhook dispatch
β βββ templates/ # 11+ Jinja2 templates (dark theme)
β βββ static/uploads/ # Attachment storage
βββ skills/bb-huge/
β βββ SKILL.md # The brain β agent instruction
β βββ references/
β β βββ mobile-methodology.md # Android/iOS hunting guide
β β βββ binary-analysis-methodology.md # RE & disassembly SOP
β β βββ source-code-audit-methodology.md # White-box SAST patterns
β β βββ mobile-report-templates.md # Mobile-specific CWE templates
β β βββ binary-report-templates.md # Binary/RE crash templates
β β βββ source-code-report-templates.md # Code-level vulnerability templates
β β βββ bb-operator.md # Full hunting methodology
β β βββ bb-recon.md # Recon playbook + tool commands
β β βββ bb-eligible-vulnerabilities.md # Universal taxonomy (updated)
β β βββ bb-standards.md # Evidence standards (updated)
β β βββ bb-report-templates.md # Web templates & Field Index
β β βββ im-scheduled.md # Scheduled mission routing
β β βββ bb-orchestrator.md # Multi-skill coordination
β β βββ tools-list.md # Tool command reference
β βββ scripts/
β βββ bb.py # CLI helper
β βββ bb-dump-attachments.py # Download all evidence
βββ skills/curated/
β βββ MANIFEST.md # Catalog of 350+ community skills
β βββ install.sh # Cross-platform skill installer
βββ mcp_server.py # MCP stdio server (35+ tools)
βββ THEORY_QUIZ.md # 10-question agent comprehension test
βββ tests/
β βββ test_api.py # API integration tests
βββ config.py # App configuration
βββ run.py # Entry point (Flask / Waitress)
βββ requirements.txt
βββ Dockerfile
βββ docker-compose.yml
βββ .env.example
βββ mcp_config_examples.txt
This project is licensed under the MIT License β see the LICENSE file for details.
