-
-
Notifications
You must be signed in to change notification settings - Fork 151
Bug Bounty Platform
CarterPerez-dev edited this page Feb 11, 2026
·
1 revision
Full-stack vulnerability disclosure platform with CVSS scoring, report lifecycle management, and role-based access.
A complete bug bounty platform where security researchers submit vulnerability reports to organizations. Features JWT authentication with Argon2id hashing, CVSS severity scoring, full report lifecycle management (submitted β triaged β accepted β resolved), role-based access control (user/company/admin), and a React dashboard for managing programs and submissions.
Status: Complete | Difficulty: Advanced
| Technology | Version | Purpose |
|---|---|---|
| FastAPI | 0.123+ | Async web framework |
| PostgreSQL | 18 | Primary database |
| SQLAlchemy | 2.0+ | Async ORM (mapped columns) |
| Alembic | 1.15+ | Database migrations |
| PyJWT | - | JWT token handling |
| pwdlib + Argon2 | - | Password hashing |
| Pydantic | v2 | Request/response validation |
| uuid-utils | - | UUID v7 generation |
| Technology | Version | Purpose |
|---|---|---|
| React | - | UI framework |
| TypeScript | - | Type safety |
| Vite | - | Build tool |
| TanStack Query | v5 | Server state management |
| Zustand | - | Client state (persisted) |
| Axios | - | HTTP client with interceptors |
| Zod | - | Runtime validation |
| Sass | - | Styling |
- Docker Compose
- Nginx reverse proxy
- Justfile task runner
- JWT access + refresh token flow with automatic renewal
- Argon2id password hashing (PHC winner)
- Token version tracking for instant invalidation
- Role-based access control (User, Company, Admin)
- CVSS severity scoring
- Full lifecycle: submitted β triaged β accepted β resolved / rejected
- Markdown-formatted descriptions
- Attachment support
- Company program creation and management
- Researcher profiles and submission history
- Admin dashboard for platform oversight
- Repository pattern for data access
- Pydantic schemas for validation (input/output separation)
- FastAPI dependency injection throughout
- Database session management with automatic rollback
- Mixin-based models (UUIDMixin, TimestampMixin)
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Frontend (React + TS) β
β Zustand (auth) | TanStack Query | Axios interceptors β
β Auto token refresh on 401 β
βββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββββββββΌββββββββββββββββββββββββββββββ
β Nginx Reverse Proxy β
βββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββββββββΌββββββββββββββββββββββββββββββ
β Backend (FastAPI) β
β β
β Routes β Dependencies β Repositories β Models β
β β
β ββββββββββββ ββββββββββββ ββββββββββββββββββββββββ β
β β Auth β β Users β β Reports / Programs β β
β β JWT + β β CRUD β β CVSS scoring β β
β β Argon2 β β Roles β β Lifecycle mgmt β β
β ββββββββββββ ββββββββββββ ββββββββββββββββββββββββ β
β β
β Core: database.py | security.py | dependencies.py β
β Base: UUIDMixin | TimestampMixin | DeclarativeBase β
βββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββββββββΌββββββββββββββββββββββββββββββ
β PostgreSQL 18 β
β Users | Reports | Programs | Credentials β
β UUID v7 PKs | Async via asyncpg β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
cd PROJECTS/advanced/bug-bounty-platform
# Copy environment file
cp .env.example .env
# Start development environment
just up
# Or: docker compose up --build
# Access at http://localhost:8420# Database
DATABASE_URL=postgresql+asyncpg://user:pass@localhost:5432/bugbounty
# JWT
SECRET_KEY=your-secret-key
JWT_ALGORITHM=HS256
ACCESS_TOKEN_EXPIRE_MINUTES=15
REFRESH_TOKEN_EXPIRE_DAYS=7
# CORS
CORS_ORIGINS=["http://localhost:3000"]| Method | Endpoint | Description |
|---|---|---|
| POST | /api/auth/register |
User registration |
| POST | /api/auth/login |
JWT authentication |
| POST | /api/auth/refresh |
Token refresh |
| GET | /api/users/me |
Current user profile |
| POST | /api/reports |
Submit vulnerability report |
| GET | /api/reports/{id} |
Get report details |
| PATCH | /api/reports/{id} |
Update report status |
| GET | /api/programs |
List bounty programs |
bug-bounty-platform/
βββ backend/
β βββ src/app/
β β βββ core/
β β β βββ database.py # Async session manager
β β β βββ security.py # JWT + Argon2id
β β β βββ dependencies.py # Auth dependency injection
β β β βββ Base.py # UUIDMixin, TimestampMixin
β β βββ user/ # User module
β β β βββ models.py # User + UserRole enum
β β β βββ repository.py # Data access
β β β βββ schemas.py # Pydantic validation
β β β βββ routes.py # API endpoints
β β βββ report/ # Report module (same pattern)
β β βββ program/ # Program module (same pattern)
β βββ pyproject.toml
βββ frontend/
β βββ src/
β β βββ api/ # Axios client + hooks
β β βββ stores/ # Zustand (auth persisted)
β β βββ components/
β βββ package.json
βββ infra/ # Docker + Nginx
βββ compose.yml
βββ Justfile
# Backend
uv run ruff check .
uv run mypy .
uv run pytest tests/
# Frontend
pnpm lint
pnpm build
pnpm testΒ©AngelaMos | CertGames.com | CarterPerez-dev | 2026