BountyDash: Privacy-First Analytics for Bug Bounty Hunters Who Don't Trust the Cloud

Hook

Your bug bounty earnings data is worth more to attackers than the vulnerabilities you report. That's why BountyDash runs entirely on localhost with zero external API calls—treating your hunting patterns as the sensitive information they actually are.

Context

Bug bounty hunters operate across multiple platforms—HackerOne, Bugcrowd, Synack, Intigriti—each with their own dashboard, analytics, and incomplete picture of your performance. Want to know your actual success rate across all programs? Your most profitable vulnerability types? Whether you're heading toward burnout based on submission patterns? You're stuck stitching together CSV exports in spreadsheets or building custom scripts.

BountyDash emerged from a simple realization: bug bounty data is personally identifiable, strategically valuable, and deeply private. Your hunting patterns reveal which companies you're researching, which vulnerability classes you've mastered, and potentially which bugs you've found but haven't disclosed yet. Sending that data to third-party analytics platforms—even encrypted—introduces risk. BountyDash takes a radically different approach: everything runs on your local machine, data never leaves your filesystem, and the entire analytics engine executes in your browser. It's not trying to be a SaaS platform or a collaborative tool. It's a personal intelligence system for solo hunters who want insights without exposure.

Technical Insight

BountyDash's architecture is deceptively simple: a thin PHP backend that handles file I/O and a JavaScript frontend that does all the heavy lifting. When you import CSV exports from bounty platforms, the PHP layer reads them, normalizes the data into a common schema, and appends everything to a single data.json file. That's it. No database, no ORM, no complex queries—just flat-file storage optimized for append-only operations.

The clever part is deduplication. Bug bounty platforms sometimes issue multiple payments for the same report (initial bounty, bonus, swag), and you might import the same CSV twice. BountyDash generates a hash from key fields to identify unique entries:

function generateHash(report) {
  const fingerprint = [
    report.id || '',
    report.status || '',
    report.date || '',
    report.amount || '',
    report.currency || '',
    report.program || '',
    report.title || '',
    report.source || ''
  ].join('|');
  
  return simpleHash(fingerprint);
}

function simpleHash(str) {
  let hash = 0;
  for (let i = 0; i < str.length; i++) {
    const char = str.charCodeAt(i);
    hash = ((hash << 5) - hash) + char;
    hash = hash & hash; // Convert to 32-bit integer
  }
  return hash.toString(36);
}

This allows multiple rewards per report while preventing duplicate imports. It's not cryptographically secure—it doesn't need to be. It just needs collision resistance across a few thousand bounty entries, and a simple polynomial rolling hash handles that fine.

The tagging system is where BountyDash really shines for pattern analysis. You can manually tag reports or use regex-based bulk tagging to categorize vulnerabilities across all platforms:

// Auto-tag based on report titles
const tagPatterns = [
  { regex: /xss|cross.?site/i, tag: 'XSS' },
  { regex: /sqli|sql.?injection/i, tag: 'SQLi' },
  { regex: /csrf|cross.?site.?request/i, tag: 'CSRF' },
  { regex: /ssrf|server.?side.?request/i, tag: 'SSRF' },
  { regex: /idor|insecure.?direct.?object/i, tag: 'IDOR' },
  { regex: /rce|remote.?code.?execution/i, tag: 'RCE' }
];

function autoTag(reports) {
  return reports.map(report => {
    const matchedTags = tagPatterns
      .filter(pattern => pattern.regex.test(report.title))
      .map(pattern => pattern.tag);
    
    return {
      ...report,
      tags: [...new Set([...(report.tags || []), ...matchedTags])]
    };
  });
}

Once tagged, you can slice your data to discover patterns: "I have a 73% acceptance rate on SSRF bugs but only 31% on XSS" or "My average payout for authentication bypasses is 3x higher than input validation issues." These insights inform where to focus your research time.

The frontend uses Chart.js for temporal visualizations—earnings over time, submission frequency, success rates by month. All calculations happen client-side, which means the initial page load processes your entire dataset in JavaScript. For most hunters with a few hundred to a few thousand reports, this is imperceptible on modern hardware. The payoff is zero server-side processing and complete data privacy.

Currency handling is present but incomplete. The system tracks currency per reward (USD, EUR, Bitcoin, etc.) but doesn't convert to a common currency for aggregate statistics. This means your "total earnings" chart might mix currencies, which is technically correct but analytically useless if you're earning in multiple denominations. The data model supports conversion—you'd just need to add exchange rate lookups and a normalization layer before the charting code.

Gotcha

BountyDash's documentation explicitly states "this is not our proudest moment" regarding the CSV parsing code, and they're not exaggerating. The parser makes hardcoded assumptions about column ordering, date formats, and field presence that vary wildly between platforms. HackerOne exports might have a "Severity" column; Bugcrowd might not. Some platforms use ISO 8601 dates; others use MM/DD/YYYY. You'll likely need to manually clean CSVs or write custom import scripts for each platform. The repository includes examples for major platforms, but if your workflow involves smaller platforms or custom programs, expect to spend time wrangling data formats.

Security is intentionally minimal because the threat model assumes localhost-only deployment. There's no CSRF protection, no authentication, no input sanitization beyond basic JSON encoding. The README explicitly warns against deploying to any networked environment. This is fine for solo use on your laptop, but if you wanted to adapt this for a team (say, a consulting firm's internal bounty aggregation), you'd need to add an entire security layer. The codebase prioritizes simplicity and auditability over hardening—you can read the entire source in an hour and verify it's not exfiltrating data, which is the actual security model here.

Verdict

Use BountyDash if you're a solo bug bounty hunter who wants cross-platform analytics without trusting third-party services, you're comfortable running localhost applications and occasionally debugging CSV import issues, and you value privacy enough to accept some manual data wrangling. It's perfect for identifying your personal hunting patterns, forecasting earnings, and understanding which vulnerability types yield the best ROI for your skillset. Skip if you need multi-user access, production-grade security, automated platform integrations, or robust multi-currency financial reporting. Also skip if you're hunting casually on a single platform—the native dashboards are probably sufficient. BountyDash's value proposition scales with the number of platforms you're active on and how seriously you treat bug hunting as a measurable, optimizable discipline.