ScopesExtractor is a Ruby-based tool that monitors bug bounty programs across multiple platforms to detect and notify scope changes in real-time.
A tool for monitoring bug bounty programs across multiple platforms to track scope changes.
This tool is designed for security researchers and bug bounty hunters who need to stay updated on scope modifications across various bug bounty platforms. It automates the tracking of scope additions and removals, ensuring users do not miss important changes that could affect their testing boundaries or opportunities. Organizations running bug bounty programs can also use it to maintain accurate scope records and alert stakeholders.
Docker is the recommended environment for running ScopesExtractor to simplify dependencies and setup. Users must configure platform credentials and Discord webhook URLs in the .env file for full functionality. API mode requires an API key for authentication. The tool supports OTP authentication for platforms that require it. Persistent JSON storage and history retention policies help maintain data integrity over time.
Clone the repository: git clone https://github.com/JoshuaMart/ScopesExtractor
Navigate into the directory: cd ScopesExtractor
Create the environment file: cp .env.example .env
Configure the .env file with platform credentials, Discord webhook URLs, API settings, synchronization options, and history retention policy
Build the Docker image: docker build . -t scopesdocker run --mount type=bind,source="$(pwd)/libs/db/db.json",target=/app/libs/db/db.json --mount type=bind,source="$(pwd)/libs/db/history.json",target=/app/libs/db/history.json scopes
Run the application in classic mode without API to monitor and track scope changes.
docker run -p 4567:4567 --mount type=bind,source="$(pwd)/libs/db/db.json",target=/app/libs/db/db.json --mount type=bind,source="$(pwd)/libs/db/history.json",target=/app/libs/db/history.json scopes
Run the application in API mode to expose HTTP endpoints for querying program data and changes.
curl -H "X-API-Key: your_api_key_here" http://localhost:4567
Fetch current bug bounty program data via API.
curl -H "X-API-Key: your_api_key_here" http://localhost:4567/changes
Retrieve recent scope changes from the last 48 hours (default).
curl -H "X-API-Key: your_api_key_here" "http://localhost:4567/changes?hours=24"
Get scope changes from the last 24 hours.
curl -H "X-API-Key: your_api_key_here" "http://localhost:4567/changes?platform=YesWeHack"
Filter changes by the YesWeHack platform.
curl -H "X-API-Key: your_api_key_here" "http://localhost:4567/changes?type=add_scope"
Filter changes to show only added scopes.
curl -H "X-API-Key: your_api_key_here" "http://localhost:4567/changes?program=ProgramName"
Filter changes by a specific program name.
curl -H "X-API-Key: your_api_key_here" "http://localhost:4567/changes?category=web"
Filter changes by category, e.g., web.
curl -H "X-API-Key: your_api_key_here" "http://localhost:4567/changes?hours=72&platform=Hackerone&type=add_scope"
Combine filters to get added scopes from Hackerone in the last 72 hours.
curl -H "X-API-Key: your_api_key_here" http://localhost:4567/wildcards
Retrieve all wildcard domains across platforms.
curl -H "X-API-Key: your_api_key_here" "http://localhost:4567/wildcards?platform=YesWeHack"
Get wildcard domains from the YesWeHack platform.