Bug Bounty Triage

Accelerate your bounty hunting with smart program prioritization and vulnerability report triaging for DeFi protocols.

Install
cmdop skills install agensi-bug-bounty-triage

Bug Bounty Triage is a skill published by agensi, aimed at security researchers and smart contract auditors who work on platforms such as Code4rena, Sherlock, and HackenProof. Its core purpose is to reduce the time lost deciding which programs to target by systematically evaluating active bug bounty programs across three dimensions: payout potential, scope friction, and repository availability. The output is a prioritized target queue rather than an arbitrary audit order.

Once a target list is established, the skill applies triage rubrics to candidate vulnerability findings, assessing each for severity and exploitability. This helps a researcher decide which findings are worth developing into full proof-of-concept exploits before investing further time.

For findings that pass triage, the skill generates structured report skeletons and checklists aligned with the submission standards common to DeFi and smart contract audit platforms. These templates are intended to reduce rejection rates by ensuring required elements are present before submission.

The skill also provides a strategy framework that helps structure a researcher’s working day around high-impact tasks such as building test harnesses, rather than lower-value activities.

This skill is appropriate when a researcher needs to choose among multiple active programs or prepare a compliant vulnerability report. It is not a static analysis tool, does not execute code, and does not connect to external bug bounty platform APIs — it provides structured guidance and templates rather than automated scanning.

Use cases

  • Score and rank active bug bounty programs by expected payout versus proof-of-concept feasibility
  • Apply a triage rubric to a candidate finding to assess its severity and exploitability before writing a full report
  • Generate a report skeleton for a smart contract vulnerability submission on platforms like Code4rena or Sherlock
  • Build a prioritized audit target queue when facing multiple open programs simultaneously
  • Structure a daily research plan around high-impact tasks such as test harness development
  • Use checklists to verify a vulnerability report meets submission requirements before filing

When to use it

  • A researcher is unsure which of several active DeFi bug bounty programs to audit first
  • A finding needs to be assessed for severity and exploitability before committing to a full write-up
  • A researcher needs a structured report template formatted for credible security submissions
  • Time needs to be allocated across program evaluation, exploit development, and report writing

When not to use it

  • Automated static or dynamic analysis of smart contract code is needed — this skill does not execute or scan code
  • Direct API integration with bug bounty platforms is required — no live platform connectivity is provided
  • The target programs are outside DeFi or smart contract contexts, as the rubrics are oriented toward those domains
  • A fully automated end-to-end vulnerability detection pipeline is the goal