βββββββ βββ βββ βββββββ βββββββ βββββββ βββ βββββββ βββββββββββββββ βββ
βββββββββββ βββββββββββ ββββββββββββββββββββ ββββββββ ββββββββββββββββ ββββ
βββββββββββ ββββββ ββββ βββββββββββ ββββββ βββββββββ βββ βββ βββββββ
βββββββββββ ββββββ βββ βββββββββββ ββββββ βββββββββββββ βββ βββββ
ββββββββββββββββββββββββββ βββββββββββββββββββββββββββββ ββββββ βββ βββ
βββββββ βββββββ βββββββ βββββββ βββββββ βββββββ βββ βββββ βββ βββ
Production-ready enterprise bug bounty platform with role-based access, CVSS scoring, and full report triage workflows.
This is a quick overview β security theory, architecture, and full walkthroughs are in the learn modules.
- Role-based access control for Researchers, Companies, and Admins with JWT refresh token rotation
- CVSS vulnerability scoring with full report triage and bounty award workflows
- Program management with configurable scope, reward tiers, and SLA tracking
- Multi-device session management with token versioning for instant invalidation
- Rate limiting, audit logging, and input validation across all endpoints
- Repository pattern with strict type safety across ~7,000 lines of backend code
docker compose up -dVisit http://localhost:8420 or the live demo at bugbounty.carterperez-dev.com
Tip
This project uses just as a command runner. Type just to see all available commands.
Install: curl -sSf https://just.systems/install.sh | bash -s -- --to ~/.local/bin
Backend: FastAPI, SQLAlchemy 2.0+, PostgreSQL 18, Redis 7, Alembic, Argon2id, JWT
Frontend: React 19, TypeScript 5.9, Vite 7, React Router 7.1, TanStack Query v5, Zustand
This project includes step-by-step learning materials covering security theory, architecture, and implementation.
| Module | Topic |
|---|---|
| 00 - Overview | Prerequisites and quick start |
| 01 - Concepts | Security theory and real-world breaches |
| 02 - Architecture | System design and data flow |
| 03 - Implementation | Code walkthrough |
| 04 - Challenges | Extension ideas and exercises |
AGPL 3.0