A full-stack bug bounty platform that orchestrates security scans for web applications and smart contracts, with blockchain-based bounty payout logic.
- Backend: FastAPI REST API for creating scan jobs, managing results, and user authentication.
- Frontend: React + TypeScript SPA with login, registration, and dashboard views.
- Smart Contract: Solidity contract on Ethereum for committee-based bounty approvals and payouts.
- CLI:
bpcommand-line tool to submit and monitor scan jobs. - Orchestration: Apache Airflow DAG for multi-step scan pipelines.
- CI/CD: GitHub Actions pipelines for backend, frontend, smart contract, Docker, and security scanning.
| Layer | Technology |
|---|---|
| Backend | Python 3.11, FastAPI, SQLAlchemy, Alembic |
| Frontend | React 18, TypeScript, Vite |
| Smart Contract | Solidity 0.8.20, Hardhat, OpenZeppelin |
| Database | PostgreSQL 15, Redis 7 |
| Infrastructure | Docker, Docker Compose, Nginx |
| CI/CD | GitHub Actions |
bounty_platform/
├── backend/
│ ├── main.py # FastAPI app (endpoints + background jobs)
│ ├── models.py # SQLAlchemy models
│ ├── database.py # Database connection & session
│ ├── logger.py # Logging configuration
│ └── utils/
│ └── scanners.py # Scanner helpers (ZAP, nuclei, Mythril, SCA)
├── frontend/
│ ├── src/
│ │ ├── App.tsx # Main app with routing
│ │ ├── pages/ # Login, Register, Dashboard
│ │ └── api.ts # Backend API client
│ ├── Dockerfile # Frontend container (nginx)
│ └── package.json
├── smart_contract/
│ ├── contracts/
│ │ └── BugBounty.sol # Bounty payout contract
│ ├── test/ # Hardhat test suite (11 tests)
│ ├── scripts/
│ │ └── deploy.js # Hardhat deployment script
│ └── hardhat.config.js
├── airflow/
│ └── dags/
│ └── bounty_pipeline.py # Example Airflow DAG
├── scripts/
│ └── bp.py # CLI tool implementation
├── tests/ # Backend + CLI test suite
├── alembic/ # Database migrations
├── .github/workflows/ # CI/CD pipelines
├── Dockerfile # Backend container
├── docker-compose.yml # Production stack
├── docker-compose.dev.yml # Development stack
├── requirements.txt # Python dependencies
└── pyproject.toml # Python project config
- Python 3.11+
- Node.js 20+
- Docker & Docker Compose
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
uvicorn backend.main:app --reload --host 0.0.0.0 --port 8000API: http://localhost:8000 | Health: http://localhost:8000/health
cd frontend
npm install
npm run devOpens at http://localhost:5173
cd smart_contract
npm install
npx hardhat test # Run 11 tests
npx hardhat compile # Compile contractscp .env.example .env
docker compose -f docker-compose.dev.yml up -dpip install -e .
bp run --project demo --type attack_surface --url https://example.com
bp status <job_id>| Method | Endpoint | Description |
|---|---|---|
| GET | /health |
Health check |
| POST | /jobs |
Create a scan job |
| GET | /jobs/{job_id} |
Get job status/results |
All pipelines run on every push to main:
| Pipeline | What it does |
|---|---|
| Backend CI | Python linting (flake8, black) + pytest |
| Frontend CI | ESLint + TypeScript build |
| Smart Contract CI | Hardhat compile + test |
| Docker Build & Test | Build images, integration tests |
| Security Scanning | Trivy vulnerability scanning |
See .env.example for all available configuration options.
MIT — see LICENSE for details.