Skip to content

descambiado/BOFA

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

59 Commits
.github
.github
 
 
agents
agents
 
 
api
api
 
 
cli
cli
 
 
config
config
 
 
core
core
 
 
database
database
 
 
docs
docs
 
 
flows
flows
 
 
labs
labs
 
 
logging
logging
 
 
mcp
mcp
 
 
monitoring
monitoring
 
 
nginx
nginx
 
 
public
public
 
 
reports
reports
 
 
scripts
scripts
 
 
skills/bounty
skills/bounty
 
 
src
src
 
 
study
study
 
 
tools
tools
 
 
web
web
 
 
wiki
wiki
 
 
.dockerignore
.dockerignore
 
 
.env.template
.env.template
 
 
.gitignore
.gitignore
 
 
CHANGELOG.md
CHANGELOG.md
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
CORE_COMPLETION.md
CORE_COMPLETION.md
 
 
Dockerfile.api
Dockerfile.api
 
 
Dockerfile.frontend
Dockerfile.frontend
 
 
README.md
README.md
 
 
SECURITY.md
SECURITY.md
 
 
bofa-universal.sh
bofa-universal.sh
 
 
bofa.sh
bofa.sh
 
 
bun.lockb
bun.lockb
 
 
components.json
components.json
 
 
docker-compose.yml
docker-compose.yml
 
 
eslint.config.js
eslint.config.js
 
 
index.html
index.html
 
 
install-linux.sh
install-linux.sh
 
 
install-windows.ps1
install-windows.ps1
 
 
nginx.conf
nginx.conf
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 
postcss.config.js
postcss.config.js
 
 
pyproject.toml
pyproject.toml
 
 
requirements.txt
requirements.txt
 
 
tailwind.config.ts
tailwind.config.ts
 
 
tsconfig.app.json
tsconfig.app.json
 
 
tsconfig.json
tsconfig.json
 
 
tsconfig.node.json
tsconfig.node.json
 
 
vite.config.ts
vite.config.ts
 
 

Repository files navigation

BOFA

BOFA

License Python Scripts Flows

BOFA is a local-first cybersecurity framework with a growing flagship for duplicate-aware web/API bug bounty hunting.

Its current promise is simple:

BOFA helps hunters see what changed, what is weird, and what is less likely to be duplicate.

That sits on top of a broader foundation:

  • unified runtime and control plane
  • signed evidence bundles and offline verification
  • CLI, API, web UI and labs
  • MCP and agent-friendly orchestration

Why BOFA

Most hunting setups can execute recon.

BOFA is trying to get better at something harder:

  • keeping memory per program
  • importing public intelligence and local notes
  • building a target graph from surface data
  • detecting deltas between snapshots
  • scoring novelty and duplicate risk
  • turning noisy findings into a short manual review queue

If you are tired of collecting obvious duplicates, that is the part of BOFA to care about first.

Flagship Workflow

  1. Create a bounty workspace for one program.
  2. Import scope, disclosed reports, URL lists, Burp sitemap exports, JS endpoints or manual notes.
  3. Analyze the workspace.
  4. Review:
    • What Changed
    • Novelty Queue
    • Duplicate Risk
    • Review Queue
  5. Execute skills like delta_recon, duplicate_risk, surface_regression or manual_handoff.
  6. Export evidence and keep the runtime history tied to the workspace.

Walkthrough:

Quick Start

Local

git clone https://github.com/descambiado/BOFA
cd BOFA
pip install -r requirements.txt
npm install
./bofa.sh

Frontend

npm run dev

Verification

python tools/verify_runtime_hardening.py
python tools/verify_control_plane.py
python tools/verify_bounty_system.py
npm run build

Main Components

Duplicate-aware bounty

  • bounty workspaces
  • imports for scope, disclosed reports, URL lists, Burp sitemap, JS endpoints and notes
  • target graph
  • snapshots and surface deltas
  • novelty findings
  • duplicate-risk scoring
  • clustered review queue
  • bounty skills for tactical analysis

Runtime and evidence

  • unified runs, steps, labs, events and artifacts
  • timeline persistence
  • runtime cancellation and retry lineage
  • evidence export per run
  • signed bundles with offline verification

Interfaces

  • CLI for local operation
  • FastAPI backend
  • React web UI
  • MCP server
  • security agent with run_skill support

What BOFA Is Not Pretending To Be

BOFA already has useful operational pieces, but this is the honest framing:

  • the runtime and evidence layers are the strongest production-facing pieces
  • the labs and some educational surfaces are still educational-first
  • the bug bounty system is the flagship growth direction
  • BOFA does not auto-report to HackerOne
  • BOFA does not yet rely on authenticated HackerOne API access
  • BOFA does not yet center browser-authenticated crawling in the bounty core

That honesty matters more than hype.

Bounty Skills

Current workspace-native bounty skills include:

  • program_intel
  • disclosed_report_graph
  • delta_recon
  • js_api_diff
  • authz_matrix
  • duplicate_risk
  • report_novelty_gate
  • surface_regression
  • manual_handoff

These are designed for a copilot workflow, not blind autopilot.

Repository Health

Current direction:

  • fewer contradictory claims
  • more verification
  • more workspace memory
  • better evidence
  • better novelty and duplicate-aware prioritization

Status page:

Changelog:

Responsible Use

Use BOFA only on systems you own or are authorized to assess.

This project is for:

  • bug bounty and security research under program rules
  • authorized pentesting
  • local security labs and learning
  • defensive validation and reproducible evidence workflows

Useful Links

About

Best Of All Cybersecurity Suite

Resources

Readme

Contributing

Contributing

Security policy

Security policy
Activity

Stars

9 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases 1

BOFA v2.7.0 - CLI navegable, mensaje MCP unificado Latest
Feb 17, 2026

Packages

 
 
 

Contributors

Languages