Skip to content

Program Selection & Setup

Once platforms are synced, RedPick moves from raw program inventory to target selection and engagement bootstrap. This part of the flow decides where effort should go and prepares an engagement with the exact scope and context the hunting skills need.

Program Browse Layer

The Programs tab and the setup skill work from the same backend data:

  • GET /api/v1/bugbounty/programs
  • GET /api/v1/bugbounty/programs/{program_id}

Browse items expose:

  • platform and handle
  • scope list with eligible flags
  • bounty table
  • asset types
  • policy URL
  • current program status
  • submission counts

This is the operator-facing inventory view before any setup happens.

Intelligence Scoring

The Intelligence tab is driven by the bug bounty intelligence engine.

Composite model

RedPick computes a weighted score across three dimensions:

Dimension Weight Intent
Bug probability 40% How likely is the program to contain exploitable bugs now
Competition analysis 30% How crowded or saturated the target appears
Payout efficiency 30% Whether time spent is likely to produce useful payout and triage speed

Inputs used by the score

The engine derives its score from signals such as:

  • scope change velocity and freshness
  • inferred tech fragility from description and scope
  • wildcard and asset-type complexity
  • platform and bounty-based crowding heuristics
  • own submission history and response speed
  • bounty competitiveness by severity

API surface

  • GET /api/v1/bugbounty/intelligence/rankings
  • GET /api/v1/bugbounty/intelligence/programs/{program_id}
  • POST /api/v1/bugbounty/intelligence/refresh

This layer is the ranking substrate used both by humans in the dashboard and by automated loops.

Session Selection Logic

For rotating sessions, RedPick adds a second layer on top of raw intelligence scores.

The session service applies:

  • rotation penalty for recently tested programs
  • recent-finding bonus for productive programs
  • exhaustion penalty for programs tested repeatedly with zero findings
  • fresh-scope boost for recent asset additions
  • recent bounty-change boost
  • optional focus boosts for specific vuln classes
  • hard filtering for underpaying programs

This is intentionally depth-first rather than round-robin. A productive target can repeat if the signals justify going deeper.

Suggested Hunt Mode

Selection logic also recommends an initial hunt mode based on the visible surface:

  • billing and subscription signals push toward logic
  • GraphQL signals push toward api
  • callback or webhook signals push toward ssrf
  • upload flows push toward injection
  • auth stack signals push toward auth
  • otherwise the default is usually access

This is not a hard lock. It is a starting bias for the operator or the loop.

One-Click Setup

Setup is exposed through:

  • POST /api/v1/bugbounty/programs/{program_id}/setup
  • /bb-setup

The setup step turns a synced program into a standard RedPick engagement.

What setup does

  1. Picks the first launchable in-scope web target.
  2. Creates or reuses an engagement directory.
  3. Builds scope.txt from eligible and out-of-scope assets.
  4. Writes brief.json with platform, handle, policy URL, bounty range, scope summary, and full scope items.
  5. Prepares proxy configuration commands for Burp, Caido, or both.
  6. Returns a ready-to-run command like /pentest https://target --bug-bounty --name <engagement>.

Main artifacts

The engagement gets the same baseline shape as a normal pentest, but with bug bounty context preloaded:

  • scope.txt
  • brief.json
  • context.json
  • findings/
  • recon/
  • discovery/
  • logs/
  • report/

That means the bug bounty setup flow plugs directly into the existing pentest runtime while preserving program-specific scope and payout context.

Proxy Bootstrap

Setup can generate scoping commands for:

  • Burp
  • Caido

This is important because bug bounty work often mixes automated and manual validation, and the operator needs proxy scope to match platform scope from the start.

Program-Scoped Knowledge Bootstrap

Setup is only the engagement side. The bug bounty system also maintains a program-specific knowledge root under bugbounty/.

That knowledge root is where RedPick persists:

  • program knowledge and observations
  • attack surface history
  • technique history
  • policy rules
  • compact memory and next tests

The key distinction is:

  • engagements/ stores the current test workspace
  • bugbounty/programs/{platform}/{handle}/ stores long-lived program memory across sessions
  1. Sync all platforms.
  2. Review Intelligence and Scope tabs together.
  3. Prefer programs with both strong composite score and fresh change signals.
  4. Run setup from the selected program card.
  5. Launch manual hunting or let the continuous session / perpetual loop pick up the prepared target.