OwlMind is a professional bug bounty team. We find real security vulnerabilities in open-source software (WordPress plugins, AI/LLM frameworks, web apps) and submit them to bounty platforms for cash rewards.
What we look for:
The full pipeline from your machine to a paid bounty:
You (Claude Code + owlhunt)
|
v
Scan target code --> Find vulnerability --> Verify it's real
|
v
owlhunt add (register finding) --> owlhunt submit (send to platform)
|
v
Platform reviews --> Accepted / Duplicate / N-A
|
v
Bounty paid to OwlMind --> Fixed salary + KPI bonus to you
owlhunt/bounty/status/yourname.owlmind-yourname.tar.gz.install.bat as Administrator.
| Component | What it does |
|---|---|
Claude Code | AI assistant for code analysis — your main tool |
owlhunt | CLI for managing sessions, findings, submissions |
CLAUDE.md | Methodology file — Claude reads this and knows how to audit |
500+ SAST detectors | YAML rules that find vulnerability patterns in code |
Heartbeat cron | Pings the portal every 30 min — confirms you are online |
Daily report cron | Sends your daily stats at 21:00 automatically |
team_sync | Syncs targets/findings with the team (no duplicates) |
owlmind_guard | License validator — keeps your access active |
After installation, verify everything works:
Open a terminal and type claude to start. Claude Code is an AI assistant that can read code, search files, run commands, and help you find vulnerabilities. It already knows the OwlMind methodology from CLAUDE.md.
Example session:
| Command | What it does |
|---|---|
owlhunt new URL | Start a new target session (clones repo + quick audit) |
owlhunt list | List all active sessions |
owlhunt status | Details of current session |
owlhunt add SESS --file path:LINE --type idor --severity high --title "..." | Register a confirmed finding |
owlhunt submit SESS | Submit finding to bounty platform (with auto-dedup) |
owlhunt submit SESS --dry-run | Test submission without actually sending |
owlhunt close SESS | Close session when done with a target |
owlhunt scan-ast | Run AST-based scanner on code (500+ detectors) |
owlhunt slop-check DRAFT.md | Check your report for AI-sounding language |
owlhunt journal | Log your attempts and outcomes |
owlhunt lab-up | Start a local WordPress test lab (Docker) |
owlhunt lab-down | Stop the test lab |
owlhunt deephunt OWNER/REPO | End-to-end pipeline: scope gate, clone, AST scan, triage, dedup, draft |
owlhunt record SLUG --type idor --severity high --platform patchstack | Record a submitted finding to the team ledger |
owlhunt wp-attack | Run payload-based WordPress probe against local lab |
owlhunt attack | Run auto-attacker (137 attack classes) with report output |
owlhunt kit-gen TARGET | Generate attack kit (6 vector scripts + runbook) for a SaaS target |
owlhunt confidence | Show detector confidence report |
owlhunt draft-gen HASH | Generate report draft from finding hash |
owlhunt email | Send coordinated disclosure email to vendor |
--dry-run first before actual submission. This runs dedup checks and slop checks without sending anything.owlhunt new URL --wp for a WordPress plugin.owlhunt scan-ast for automated scanning. Verify every finding manually.owlhunt lab-up). Write a PoC (curl command). Confirm the vulnerability works on a real install.owlhunt add to register the finding, then owlhunt submit to send it to the bounty platform.1. owlhunt add SESSION --file path:line --type sqli --severity high --title "..."
--> Finding registered locally + Pass 1 dedup (checks known CVEs)
2. owlhunt submit SESSION --dry-run
--> Pass 2 dedup (WPScan + NVD + OWVD) + slop check
--> Shows what would be sent, without sending
3. owlhunt submit SESSION
--> Enhances report (CVSS, impact, remediation)
--> Sends to platform via your account
--> Records submission_id in portal
file:line to file:line to sinkNever use phrases like "This vulnerability allows attackers to potentially...", "It is important to note that...", "This could lead to serious security implications...". Write like a human researcher: direct, specific, with real code line numbers and working PoC commands.
For most platforms you will have your own account with a yourname@muravey.app email. All bounty payouts are managed by the team lead and distributed as salary + KPI bonus. The team lead coordinates submission scheduling to avoid rate limits.
| Item | Details |
|---|---|
| Fixed salary | ¥4,000 CNY/month (~$550 USD) — guaranteed monthly payment |
| KPI bonus | Performance-based bonus calculated monthly (findings count, severity, acceptance rate) |
| Payout method | PayPal, bank transfer, or crypto — arranged individually |
| Tracking | Every submission is recorded with platform ID, amount, and dual-signature |
| LLM API | Free — paid by the team through the gateway (daily budget default $3/day) |
| Performance | Monthly | USD equivalent |
|---|---|---|
| Base salary | ¥4,000 | ~$550 |
| Good KPI (consistent findings) | ¥8,000 | ~$1,100 |
| Great KPI (High/Critical) | ¥15,000 | ~$2,000 |
| Top performer | ¥25,000+ | ~$3,400+ |
Your machine pings the portal every 30 minutes automatically (set up by the installer). This tells the team lead you are online and working. You do not need to do anything — it runs in the background.
At 21:00 local time, the system automatically sends your daily stats:
This is fully automatic. The data comes from your local owlhunt session logs and heartbeats. You can also run bash ~/daily_report.sh manually to see what will be sent.
All scripts, YAML detectors, CLAUDE.md, and techniques are proprietary. Sharing = immediate termination.
All submissions go through owlhunt submit or your assigned platform account. Never submit from personal accounts outside the team. Coordinate with the team lead on timing.
Every finding must be a real, verified vulnerability with a working PoC. Fake submissions = ban from the team and from the platform.
One well-written, verified High-severity report is worth more than 10 unverified Medium reports. Bad reports damage our platform reputation.
The license guard and encrypted detectors are integrity-checked. Tampering triggers an alert and immediate access revocation.
If you are working, your machine must be on and connected. Extended offline periods without notice will be flagged.
Even after leaving the team, you may not disclose OwlMind tools, findings, or internal processes.
The portal monitors several things to protect the team and ensure fair operation:
@muravey.app are processed for alerts (password resets, payouts, status changes)owlhunt submit.owlhunt new for each target. You can have multiple sessions open. Use owlhunt list to see all active sessions.@muravey.app email). The owlhunt submit command runs dedup and quality checks before you send. All submissions are tracked in the portal.