BugPilot is an interactive security testing orchestrator for authorized bug bounty workflows.
It now supports:
- Target type intake (web app, API, mobile backend, other)
- Target URL intake at runtime
- Test-case/module selection at runtime
- Module execution with structured findings
- Target response snapshot capture per finding
- Risk, mitigation, vulnerability point, and lab validation notes
- Report persistence in
reports/output/<run_id>/
- Ask target type
- Ask target URLs
- Ask which test cases/modules to run
- Crawl and discover endpoints
- Execute selected modules
- Enrich findings with risk + response details
- Save Markdown and JSON reports
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txtpython3 main.pyIf you leave targets blank during prompts, BugPilot falls back to config/scope.txt.
python3 main.py --headless \
--targets https://target \
--modules all \
--formats json,sarif \
--validate-findings noneUseful flags:
--fail-on-findings: exit non-zero when findings exist.--baseline-findings <path>: differential scan against a baseline findings JSON.--replay-session <path>: replay previous run context fromsession.json.--lab-auto-docker: run isolated lab validation requests via Docker curl container when available.
Each run writes to a unique folder:
reports/output/run_<timestamp>/report.mdreports/output/run_<timestamp>/findings.jsonreports/output/run_<timestamp>/context.jsonreports/output/run_<timestamp>/endpoints.jsonreports/output/run_<timestamp>/session.jsonreports/output/run_<timestamp>/results.sarif(ifsarifformat selected)reports/output/run_<timestamp>/lab_validation_results.json(if lab validation executed)reports/output/run_<timestamp>/differential_scan.json(if baseline provided)
config/modules.yaml: module registry and enabled stateconfig/test_cases.yaml: attack method, scripts, tools, and commands metadataconfig/payload_rules.yaml: payload and indicator rules
Use BugPilot only on systems you are explicitly authorized to test.