KingOfBugBountyTips
Our main goal is to share tips from some well-known bughunters. Using recon methodology, we are able to find subdomains, apis, and tokens that are already exploitable, so we can report them. We wish to influence Onelinetips and explain the commands, for the better understanding of new hunters..
Install / Use
/learn @KingOfBugbounty/KingOfBugBountyTipsREADME
KingOfBugBountyTips
<img src="https://media.giphy.com/media/077i6AULCXc0FKTj9s/giphy.gif" width="500" alt="Tactical Recon">The Ultimate Bug Bounty Reconnaissance Arsenal
"In the shadows we hunt, in the code we trust"
Telegram | Twitter | YouTube | LinkedIn
</div>DoD VDP Scope
<details> <summary><b>Full DoD Scope - 19 Domains</b></summary>
# BBRF Scope - All DoD Domains
bbrf inscope add '*.af.mil' '*.army.mil' '*.marines.mil' '*.navy.mil' '*.spaceforce.mil' '*.ussf.mil' '*.pentagon.mil' '*.osd.mil' '*.disa.mil' '*.dtra.mil' '*.dla.mil' '*.dcma.mil' '*.dtic.mil' '*.dau.mil' '*.health.mil' '*.ng.mil' '*.uscg.mil' '*.socom.mil' '*.dds.mil' '*.yellowribbon.mil'
| Military Branches | DoD Agencies | Support Commands |
|:-----------------|:-------------|:-----------------|
| *.af.mil - Air Force | *.pentagon.mil - Pentagon HQ | *.dtic.mil - Tech Info Center |
| *.army.mil - Army | *.osd.mil - Office of SecDef | *.dau.mil - Acquisition Univ |
| *.marines.mil - Marines | *.disa.mil - Defense Info Systems | *.health.mil - Military Health |
| *.navy.mil - Navy | *.dtra.mil - Threat Reduction | *.ng.mil - National Guard |
| *.spaceforce.mil - Space Force | *.dla.mil - Logistics Agency | *.uscg.mil - Coast Guard |
| *.ussf.mil - Space Force | *.dcma.mil - Contract Management | *.socom.mil - Special Operations |
Security Notice
<details> <summary><b>📜 Click to read our Security Policy & Guidelines</b></summary> <br>This repository is for EDUCATIONAL and AUTHORIZED testing ONLY. Always obtain proper authorization before testing.
✅ Permitted Use Cases
- ✅ Authorized Bug Bounty Programs - HackerOne, Bugcrowd, Intigriti, etc.
- ✅ Authorized Penetration Testing - With written permission
- ✅ Personal Lab Environments - Your own infrastructure
- ✅ Educational Purposes - Learning and research
- ✅ DoD VDP Program - Following program rules
❌ Prohibited Activities
- ❌ Unauthorized Testing - Testing without explicit permission
- ❌ Malicious Intent - Using techniques for harm or theft
- ❌ Out-of-Scope Testing - Testing targets outside program scope
- ❌ Social Engineering - Unless explicitly allowed in program
- ❌ DoS/DDoS Attacks - Resource exhaustion attacks
📋 Responsible Disclosure Guidelines
- Read the Program Policy - Always review scope and rules
- Test Safely - Don't cause harm to production systems
- Document Everything - Keep detailed notes of your findings
- Report Privately - Use official channels for disclosure
- Give Time to Fix - Allow vendors reasonable time to patch
- Be Professional - Maintain ethical standards
🔒 Report Security Issues
Found a security issue in this repository? Please report it responsibly:
📚 Table of Contents
<details> <summary><b>Click to expand navigation</b></summary>| Section | Description | |:--------|:------------| | About | Project overview and goals | | Quick Start | Get started in 5 minutes | | Required Tools | Essential toolset | | BBRF Scope DoD | DoD scope configuration | | Subdomain Enumeration | Finding subdomains | | JavaScript Recon | JS file analysis | | XSS Detection | Cross-site scripting | | SQL Injection | SQLi techniques | | SSRF & SSTI | Server-side attacks | | Web Crawling | Deep crawling methods | | Parameter Discovery | Hidden params | | Content Discovery | Sensitive files | | Nuclei Scanning | Automated scanning | | API Security Testing | API vulnerabilities | | Cloud Security | AWS, GCP, Azure | | Automation Scripts | Ready-to-use scripts | | Bash Functions | Shell productivity | | New Oneliners 2026 | CVE-2026 exploits & techniques | | Oneliners 2024-2025 | Previous techniques | | Search Engines | Hacker search engines | | Wordlists | Best wordlists | | Resources | Books, courses, blogs |
</details>🎯 About
<div align="center">╔═══════════════════════════════════════════════════════════════╗
║ 🎯 MISSION STATEMENT 🎯 ║
╠═══════════════════════════════════════════════════════════════╣
║ Share elite bug bounty techniques from world-class hunters ║
║ Build the most comprehensive one-liner collection ║
║ Empower the security research community ║
╚═══════════════════════════════════════════════════════════════╝
Our main goal is to share tips from well-known bug hunters. Using advanced recon methodology, we discover subdomains, APIs, tokens, and vulnerabilities that are exploitable. We aim to influence and educate the community with powerful one-liner techniques for better understanding and faster results.
🏆 What Makes This Repository Special?
<table> <tr> <td align="center" width="25%"> <img src="https://img.shields.io/badge/400+-Oneliners-brightgreen?style=for-the-badge&logo=terminal" alt="Oneliners"><br> <b>💎 Curated Commands</b><br> <sub>Battle-tested from real hunters</sub> </td> <td align="center" width="25%"> <img src="https://img.shields.io/badge/Complete-Methodology-blue?style=for-the-badge&logo=hackthebox" alt="Methodology"><br> <b>🎯 Full Methodology</b><br> <sub>Recon to exploitation</sub> </td> <td align="center" width="25%"> <img src="https://img.shields.io/badge/2026-Updated-orange?style=for-the-badge&logo=github" alt="Updated"><br> <b>🔄 Constantly Updated</b><br> <sub>New techniques weekly</sub> </td> <td align="center" width="25%"> <img src="https://img.shields.io/badge/Community-Driven-red?style=for-the-badge&logo=discord" alt="Community"><br> <b>🌍 Community Driven</b><br> <sub>Top hunters worldwide</sub> </td> </tr> </table>📦 Special Resources
<div align="center">
📊 Repository Highlights
<details> <summary><b>📈 Click to see detailed statistics</b></summary> <br>| Category | Count | Status | |:---------|:-----:|:------:| | One-Liners | 400+ | ✅ Active | | Techniques | 50+ | ✅ Active | | Tools Covered | 100+ | ✅ Active | | CVE Examples | 20+ | ✅ Active | | DoD Domains | 19 | ✅ Active | | Contributors | Growing | 🚀 Growing | | Last Update | 2026 | ✅ Current |
</details>🚀 Quick Start
<div align="center">⚡ Get your first recon running in under 5 minutes
</div> <table> <tr> <td width="33%" align="center"> <h3>1️⃣ Install Tools</h3> <img src="https://img.shields.io/badge/Time-2%20mins-blue?style=for-the-badge" alt="Time"> </td> <td width="33%" align="center"> <h3>2️⃣ Run Recon</h3> <img src="https://img.shields.io/badge/Time-1%20min-green?style=for-the-badge" alt="Time"> </td> <td width="33%" align="center"> <h3>3️⃣ Find Bugs</h3> <img src="https://img.shields.io/badge/Time-2%20mins-red?style=for-the-badge" alt="Time"> </td> </tr> </table># 📥 Step 1: Install essential tools (ProjectDiscovery Suite)
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
# 🔍 Step 2: Run your first reconnaissance chain
subfinder -d target.com -silent | httpx -silent | nuclei -severity critical,high
# 🎉 Step 3: Analyze results and profit!
# Check the output for vulnerabilities and start reporting!
# 🚀 Advanced Quick Start - Complete Recon Pipeline
TARGET="target.com"
# Subdomain enumeration with multiple sources
subfinder -d $TARGET -all -silent | \
httpx -silent -title
