Contents 1. What is OwlMind? 2. How the system works 3. Step-by-step onboarding 4. Installation & setup 5. Your tools (Claude Code + owlhunt) 6. Daily workflow 7. How to submit findings 8. Platforms we use 9. Compensation (salary + KPI) 10. Daily reports & heartbeats 11. Rules (read carefully) 12. Security & monitoring 13. FAQ

1. What is OwlMind?

OwlMind is a professional bug bounty team. We find real security vulnerabilities in open-source software (WordPress plugins, AI/LLM frameworks, web apps) and submit them to bounty platforms for cash rewards.

This is real work with real money. Every accepted vulnerability report = a bounty payout. The better your findings, the more you earn.

What we look for:

2. How the system works

The full pipeline from your machine to a paid bounty:

You (Claude Code + owlhunt)
  |
  v
Scan target code --> Find vulnerability --> Verify it's real
  |
  v
owlhunt add (register finding) --> owlhunt submit (send to platform)
  |
  v
Platform reviews --> Accepted / Duplicate / N-A
  |
  v
Bounty paid to OwlMind --> Fixed salary + KPI bonus to you

What you do

  • Open Claude Code and research targets
  • Find real vulnerabilities with code analysis
  • Register and submit findings via owlhunt
  • Write clear vulnerability reports

What the system does

  • Provides AI-powered scanning tools
  • Deduplicates against known CVEs
  • Submits to platforms via secure proxy
  • Tracks all submissions and payouts

3. Step-by-step onboarding

1
Apply — Fill out the form on the Apply tab with your name, email, OS, and language.
2
Wait for approval — The team lead reviews your application. Check your status at /bounty/status/yourname.
3
Download bundle — Once approved, a one-time download link appears on your status page. Click it to download owlmind-yourname.tar.gz.
4
Run the installer — Extract and run:
tar xzf owlmind-yourname.tar.gz && bash install.sh
On Windows: extract the archive and run install.bat as Administrator.
5
Installer does everything — it installs dependencies, copies scripts and detectors, configures Claude Code, sets up automatic heartbeats, daily reports, and team sync. You will see a 7/7 check at the end.
6
You are ACTIVE — Open Claude Code and start working. Your status on the portal changes to ACTIVE.
Important: The download link works only ONCE. After you download the bundle, the link is invalidated. If the download fails, ask the team lead for a new one.

4. Installation & setup

What the installer sets up

ComponentWhat it does
Claude CodeAI assistant for code analysis — your main tool
owlhuntCLI for managing sessions, findings, submissions
CLAUDE.mdMethodology file — Claude reads this and knows how to audit
500+ SAST detectorsYAML rules that find vulnerability patterns in code
Heartbeat cronPings the portal every 30 min — confirms you are online
Daily report cronSends your daily stats at 21:00 automatically
team_syncSyncs targets/findings with the team (no duplicates)
owlmind_guardLicense validator — keeps your access active

System requirements

Post-install check

After installation, verify everything works:

owlhunt list # should show empty session list owlhunt confidence # should show detector stats claude --version # should print Claude Code version

5. Your tools

Claude Code (main tool)

Open a terminal and type claude to start. Claude Code is an AI assistant that can read code, search files, run commands, and help you find vulnerabilities. It already knows the OwlMind methodology from CLAUDE.md.

Example session:

# Start Claude Code claude # Inside Claude Code, ask it to audit a target: > audit the WordPress plugin user-registration for IDOR vulnerabilities # Claude will clone the repo, search for AJAX handlers, # trace data flows, and report findings

owlhunt commands

CommandWhat it does
owlhunt new URLStart a new target session (clones repo + quick audit)
owlhunt listList all active sessions
owlhunt statusDetails of current session
owlhunt add SESS --file path:LINE --type idor --severity high --title "..."Register a confirmed finding
owlhunt submit SESSSubmit finding to bounty platform (with auto-dedup)
owlhunt submit SESS --dry-runTest submission without actually sending
owlhunt close SESSClose session when done with a target
owlhunt scan-astRun AST-based scanner on code (500+ detectors)
owlhunt slop-check DRAFT.mdCheck your report for AI-sounding language
owlhunt journalLog your attempts and outcomes
owlhunt lab-upStart a local WordPress test lab (Docker)
owlhunt lab-downStop the test lab
owlhunt deephunt OWNER/REPOEnd-to-end pipeline: scope gate, clone, AST scan, triage, dedup, draft
owlhunt record SLUG --type idor --severity high --platform patchstackRecord a submitted finding to the team ledger
owlhunt wp-attackRun payload-based WordPress probe against local lab
owlhunt attackRun auto-attacker (137 attack classes) with report output
owlhunt kit-gen TARGETGenerate attack kit (6 vector scripts + runbook) for a SaaS target
owlhunt confidenceShow detector confidence report
owlhunt draft-gen HASHGenerate report draft from finding hash
owlhunt emailSend coordinated disclosure email to vendor
Tip: Always use --dry-run first before actual submission. This runs dedup checks and slop checks without sending anything.

6. Daily workflow

  1. Check targets queue — Open Claude Code and ask which targets are available, or run owlhunt new URL --wp for a WordPress plugin.
  2. Research the target — Read the code. Look for AJAX handlers, REST endpoints, SQL queries, file operations. Trace data flows from user input to dangerous sinks.
  3. Find vulnerabilities — Use Claude Code to help you analyze. Use owlhunt scan-ast for automated scanning. Verify every finding manually.
  4. Verify the finding — Set up a test lab (owlhunt lab-up). Write a PoC (curl command). Confirm the vulnerability works on a real install.
  5. Register and submit — Use owlhunt add to register the finding, then owlhunt submit to send it to the bounty platform.
  6. Work 6-10 hours — The heartbeat system tracks your active hours automatically.
Quality over quantity. One real, verified, well-written report is worth more than 10 unverified reports. Bad reports get rejected and hurt our reputation on platforms.

7. How to submit findings

Submission flow

1. owlhunt add SESSION --file path:line --type sqli --severity high --title "..."
   --> Finding registered locally + Pass 1 dedup (checks known CVEs)

2. owlhunt submit SESSION --dry-run
   --> Pass 2 dedup (WPScan + NVD + OWVD) + slop check
   --> Shows what would be sent, without sending

3. owlhunt submit SESSION
   --> Enhances report (CVSS, impact, remediation)
   --> Sends to platform via your account
   --> Records submission_id in portal

Report quality checklist

DO NOT write like an AI

Never use phrases like "This vulnerability allows attackers to potentially...", "It is important to note that...", "This could lead to serious security implications...". Write like a human researcher: direct, specific, with real code line numbers and working PoC commands.

8. Platforms we use

Patchstack
WordPress plugin vulns
Payout: $200-$1,500
WP plugins
Huntr
Open-source AI/ML vulns
Payout: $100-$5,000
AI/LLM
HackerOne
Enterprise programs
Payout: $500-$25,000
Top tier
Bugcrowd
Enterprise programs
Payout: $500-$10,000
Top tier
Wordfence
WordPress vulns
Payout: $50-$1,066
WP plugins
YesWeHack
European programs
Payout: varies
Special
Intigriti
European programs
Payout: varies
Special
Immunefi
Web3 / crypto vulns
Payout: $1,000-$50,000+
Crypto
GHSA
GitHub Security Advisories
Payout: none (CVE credit)
CVE only
MSRC
Microsoft (via HackerOne)
Payout: $500-$15,000
Top tier
Vendor Email
Direct security@ disclosure
Payout: varies
Coordinated

For most platforms you will have your own account with a yourname@muravey.app email. All bounty payouts are managed by the team lead and distributed as salary + KPI bonus. The team lead coordinates submission scheduling to avoid rate limits.

9. Compensation

ItemDetails
Fixed salary¥4,000 CNY/month (~$550 USD) — guaranteed monthly payment
KPI bonusPerformance-based bonus calculated monthly (findings count, severity, acceptance rate)
Payout methodPayPal, bank transfer, or crypto — arranged individually
TrackingEvery submission is recorded with platform ID, amount, and dual-signature
LLM APIFree — paid by the team through the gateway (daily budget default $3/day)

Example earnings

PerformanceMonthlyUSD equivalent
Base salary¥4,000~$550
Good KPI (consistent findings)¥8,000~$1,100
Great KPI (High/Critical)¥15,000~$2,000
Top performer¥25,000+~$3,400+
LLM costs: You have a daily LLM API budget (default $3/day, configurable by team lead up to $50/day). Claude Code API calls are paid by the team through the gateway. This is separate from salary.

10. Daily reports & heartbeats

Heartbeats (automatic)

Your machine pings the portal every 30 minutes automatically (set up by the installer). This tells the team lead you are online and working. You do not need to do anything — it runs in the background.

Daily report (automatic)

At 21:00 local time, the system automatically sends your daily stats:

This is fully automatic. The data comes from your local owlhunt session logs and heartbeats. You can also run bash ~/daily_report.sh manually to see what will be sent.

11. Rules

1. Never share tools, detectors, or methodology

All scripts, YAML detectors, CLAUDE.md, and techniques are proprietary. Sharing = immediate termination.

2. Submit findings only through coordinated channels

All submissions go through owlhunt submit or your assigned platform account. Never submit from personal accounts outside the team. Coordinate with the team lead on timing.

3. Never fabricate findings

Every finding must be a real, verified vulnerability with a working PoC. Fake submissions = ban from the team and from the platform.

4. Quality over quantity

One well-written, verified High-severity report is worth more than 10 unverified Medium reports. Bad reports damage our platform reputation.

5. Do not modify guard, watchdog, or detectors

The license guard and encrypted detectors are integrity-checked. Tampering triggers an alert and immediate access revocation.

6. Keep heartbeats active during work hours

If you are working, your machine must be on and connected. Extended offline periods without notice will be flagged.

7. NDA is permanent

Even after leaving the team, you may not disclose OwlMind tools, findings, or internal processes.

12. Security & monitoring

The portal monitors several things to protect the team and ensure fair operation:

Kill switch: If access is revoked, all your credentials are invalidated within 5 seconds. Gateway key, license, and proxy access are deleted simultaneously. This is irreversible.

13. FAQ

How much can I earn per month?
Every researcher receives a fixed salary of ¥4,000 CNY/month (~$550 USD) plus KPI-based performance bonuses. Active researchers with consistent High/Critical findings earn ¥8,000–15,000/month. Top performers can reach ¥25,000+/month.
Do I need security experience?
Basic understanding of web security (SQL injection, XSS, IDOR) is helpful. Claude Code and the CLAUDE.md methodology will guide you, but you need to understand what you are looking for. We recommend studying OWASP Top 10 and reading real bug bounty writeups.
What if my finding is a duplicate?
The system runs automatic dedup checks against 5 databases (WPScan, NVD, ExploitDB, Huntr, OWVD) before submission. If it still turns out to be a duplicate on the platform, no penalty — duplicates are a normal part of bug bounty. You just do not get paid for that one.
How many hours per day should I work?
There is no strict requirement. Work as much as you want. The heartbeat system tracks when you are online, but there is no minimum hours. Quality matters, not hours.
Can I use my own tools?
Yes, you can use additional tools (Burp Suite, sqlmap, nuclei, etc.) alongside OwlMind tools. But all submissions must go through owlhunt submit.
What happens if my finding is rejected (N/A)?
Nothing bad for you — no penalty. But too many N/A reports lower our platform reputation, so always verify your findings thoroughly before submitting.
What if I find a Critical vulnerability?
Great! Critical findings (CVSS 9.0+) can pay $5,000-$25,000+. Follow the same process: verify, write a clear report with PoC, submit through the system. The team lead will prioritize its review.
Can I work on multiple targets at once?
Yes. Use owlhunt new for each target. You can have multiple sessions open. Use owlhunt list to see all active sessions.
What if my download link expired?
Contact the team lead. They will generate a new approval with a fresh download link.
How do submissions work?
You submit from your own platform account (set up during onboarding with a @muravey.app email). The owlhunt submit command runs dedup and quality checks before you send. All submissions are tracked in the portal.
I have a problem with installation. What do I do?
Run the installer again — it is idempotent (safe to re-run). Check that Python 3.10+, Node.js 18+, and Git are installed. If still stuck, contact the team lead with the error output.