Bug Bounty Hunting: Automation and AI-Powered Resource Prioritization Using ImpSev Score

Bug bounty hunting involves testing large numbers of web resources, including directories
and subdomains, yet hunters face a fundamental challenge: time is limited and report-
ing a vulnerability before other researchers is critical to receiving a reward. This makes
intelligent resource prioritization a decisive competitive advantage. Despite this, exist-
ing tooling provides little guidance on where to focus manual effort, particularly when
automated scanners report no findings.
This thesis proposes a systematic framework for prioritizing web application resources
(from an attacker’s point of view), including directories, domains, and subdomains. The
framework computes an Importance score (Imp Score) for every resource. The main pur-
pose of this score is to assess the importance of the resource, which can guide the bug
bounty hunter or the tester in general to know where to focus more on the manual in-
vestigation. In addition, as a secondary purpose of this score, it can show the potential
of a weakness in a resource. The way that this score is calculated is by considering
the functionalities of the resource. These functionalities are mapped to specific Com-
mon Weakness Enumeration (CWE) [61] identifiers, and each CWE is assigned a severity
weight derived from two complementary data sources: historical Common Vulnerability
Exposure (CVE) [60] records from the National Vulnerability(NVD) [64] Database and
real-world bug bounty reports from HackerOne Platform [32]. The importance score is
computed using both static and dynamic methodologies: the static approach applies reg-
ular expression (regex) patterns matching against resource identifiers and page content,
while the dynamic approach leverages large language models (LLMs) to reason about
functionality in cases where regex coverage is insufficient.
Alongside the importance score, the framework computes a Severity Score (Sev score)
representing the exploitability and impact of any vulnerability detected within the re-
source. The primary purpose of this score is to surface the resources that are most
historically associated with known vulnerabilities, along with their corresponding severity
values. From a bug bounty hunter’s perspective, this translates directly into actionable
intelligence resources carrying a high Sev score are those most likely to yield impactful
findings, and any vulnerabilities discovered within them should be prioritised for reporting
above others. This is achieved through automated scanning using Nuclei [74], a widely
adopted vulnerability detection engine. The two scores are then combined into a unified
1
metric termed the Importance and Severity Score (ImpSev score).
The primary purpose of the ImpSev Score is twofold: to indicate to the tester that
a discovered vulnerability within a given resource may warrant escalation to a higher
severity rating, and to provide a systematic, matrix-driven framework for categorising
and prioritising resources during a security engagement.
A decision matrix maps ImpSev score ranges to concrete recommended actions for the
hunter. For instance, a resource exhibiting both high importance and high severity is
immediately escalated for manual investigation and reported directly. The prioritisation
decision is governed by an action matrix that considers the combination of the Importance
Score and the Severity Score together. For instance, resources carrying a high Importance
Score combined with a high Severity Score, or a low Importance Score combined with a
high Severity Score, are placed at the top of the testing queue — as these resources are
historically associated with known vulnerabilities and therefore represent the highest-value
targets.
Conversely, a resource with a high Importance Score but a zero or negligible Vulnera-
bility Score carries no recorded vulnerability history yet remains functionally significant,
and is therefore assigned to the next priority tier, warranting careful manual investigation
after the higher priority resources have been addressed.
The thesis further introduces a novel approach to directory brute-forcing designed
to complement the prioritization framework and support both authorized penetration
testing and bug bounty hunting engagements. Traditional directory discovery relies on
static wordlists that are generic and target-agnostic.
The proposed approach replaces this with a dynamic, context-aware methodology
driven by LLMs and open source Common Crawling data (CC-Data) [15]. This idea
is implemented practically as a tool that combines: passive crawling, active crawling,
directory pattern matching with CC-data, and LLM-guided dynamic path generation.
The result is a curated, target-specific list of discovered directories categorized into three
tiers: passively discovered paths, actively probed paths, and LLM-extended candidate
paths, giving hunters a significantly more actionable and contextually relevant attack
surface than conventional wordlist-based tools produce.