BountyDash: Why Bug Bounty Hunters Built Their Own Analytics Stack Instead of Using Spreadsheets
Hook
Most security tools obsess over protection. BountyDash ships with zero authentication, no CSRF tokens, and a warning label that says ‘never expose this to the internet.’ For bug bounty hunters tracking six-figure earnings across platforms, this is exactly what they need.
Context
Bug bounty hunters face a unique analytics problem. A productive researcher might submit reports to HackerOne, Bugcrowd, Synack, Intigriti, and half a dozen private programs simultaneously. Each platform provides its own statistics dashboard showing your submissions, acceptance rates, and earnings—but only for that platform. Want to know if you’re better at finding XSS vulnerabilities in Q4 versus Q2? Which day of the week you submit your highest-value reports? Whether your reporting velocity has increased year-over-year? You’re stuck exporting CSV files and building pivot tables manually.
BountyDash emerged from this frustration, built by Frans Rosén and Mathias Karlsson (both prominent in the bug bounty community) who needed longitudinal insights into their own hunting patterns. Rather than building a SaaS platform with OAuth integrations and encrypted databases, they made a deliberately radical choice: a localhost-only tool with no security features whatsoever. The entire architecture assumes you’re running it on 127.0.0.1, importing sensitive bounty data that never leaves your machine, and visualizing patterns that reveal your competitive advantages as a researcher.
Technical Insight
BountyDash’s architecture reflects a philosophy that local-first tools don’t need enterprise security. The PHP backend does minimal work—it’s essentially a file-based JSON database with sanitization. When you import a CSV from HackerOne or Bugcrowd, the backend reads your existing reports from data.json, parses the CSV, deduplicates entries using MD5 hashes of combined fields, and writes everything back to disk. No database server, no authentication layer, no session management.
The deduplication strategy is clever in its simplicity. Since different platforms export data with slightly different field names and formats, BountyDash creates a hash from normalized report data:
// Simplified deduplication logic
function generateReportHash(report) {
const normalized = [
report.title.toLowerCase().trim(),
report.date,
report.severity,
report.program
].join('|');
return md5(normalized);
}
function importReports(existingReports, newReports) {
const existingHashes = new Set(
existingReports.map(r => generateReportHash(r))
);
return newReports.filter(report => {
const hash = generateReportHash(report);
return !existingHashes.has(hash);
});
}This hash-based approach handles the messy reality of platform data exports. HackerOne might call a field report_title while Bugcrowd uses submission_name, but BountyDash normalizes these during CSV parsing, then prevents duplicates even when you accidentally import the same file twice.
The tagging system reveals why hunters use this tool despite the manual import friction. You can select multiple reports and bulk-apply regex patterns to automatically categorize vulnerability types. Want to tag all your IDOR findings? Select reports matching /unauthorized.*access|IDOR|indirect object/i and tag them with ‘access-control’. Over months of imports, this builds a taxonomy of your specializations. The frontend then aggregates these tags into charts showing which vulnerability classes you’re most successful at finding—invaluable when deciding which programs to target.
The client-side JavaScript handles all the heavy lifting for analytics. It processes the JSON blob in-memory, calculating statistics like:
// Example: Calculate reporting velocity by month
function getVelocityByMonth(reports) {
const monthlyGroups = reports.reduce((acc, report) => {
const month = new Date(report.date).toISOString().slice(0, 7);
acc[month] = (acc[month] || 0) + 1;
return acc;
}, {});
// Calculate moving average to smooth seasonality
const months = Object.keys(monthlyGroups).sort();
return months.map((month, idx) => {
const window = months.slice(Math.max(0, idx - 2), idx + 1);
const average = window.reduce((sum, m) => sum + monthlyGroups[m], 0) / window.length;
return { month, count: monthlyGroups[month], trend: average };
});
}This reveals productivity patterns you can’t see in platform-native dashboards. Maybe you’re 40% more productive in winter months. Maybe Friday submissions have a higher acceptance rate. BountyDash surfaces these insights because it has visibility across your entire bounty hunting career, not just one platform’s slice.
The currency handling—or lack thereof—shows the tool’s pragmatic limitations. Totals are calculated by summing reward amounts without conversion, which works fine if you primarily work in one currency but breaks down for international hunters. The developers acknowledged this limitation rather than building a flaky conversion API that would fail or require API keys.
Gotcha
BountyDash’s biggest limitation is its manual import workflow. Every time you want updated statistics, you need to visit each platform, export a CSV, save it locally, navigate to BountyDash’s import page, and upload the file. There are no API integrations—platforms like HackerOne offer APIs, but BountyDash doesn’t use them. For hunters checking stats daily, this friction becomes tedious fast. The tool is better suited for monthly or quarterly retrospectives than real-time tracking.
The localhost-only requirement is both a feature and a constraint. If you want to access your dashboard from multiple machines, you’re manually copying the data.json file around or setting up your own sync solution. The deliberate lack of security features means you absolutely cannot deploy this to a VPS or share it with teammates without completely rearchitecting the authentication layer. The README’s warning is serious: expose this to the internet and anyone can see your complete bounty hunting history, earnings, program names, and vulnerability patterns. For team leads wanting to aggregate their squad’s performance, BountyDash won’t work without significant modifications.
Verdict
Use BountyDash if you’re an active bug bounty hunter submitting reports across multiple platforms (three or more) and want historical insights into your productivity patterns, vulnerability specializations, and earnings trends that platform-native dashboards can’t provide. The manual import friction is worth it for quarterly or annual reviews where you’re making strategic decisions about which programs to focus on or which vulnerability classes to study. The localhost constraint is actually a feature if you’re protective of your bounty data and don’t trust SaaS analytics platforms. Skip it if you primarily use one platform (just use their native stats), need real-time or automated syncing, want to share dashboards with a team, or can’t guarantee you’ll only access it from localhost. Also skip if you work across multiple currencies and need accurate financial totals—the lack of conversion will give you misleading numbers. This is a personal retrospective tool, not an operational dashboard.
