BOFA
Health Warn
- No license — Repository has no license file
- Description — Repository has a description
- Active repo — Last push 0 days ago
- Low visibility — Only 9 GitHub stars
Code Fail
- Hardcoded secret — Potential hardcoded credential in api/auth.py
Permissions Pass
- Permissions — No dangerous permissions requested
No AI report is available for this listing yet.
Local-first security runtime for duplicate-aware web/API hunting, evidence and AI copilots
BOFA
BOFA is a local-first cybersecurity framework with a growing flagship for duplicate-aware web/API bug bounty hunting.
Its current promise is simple:
BOFA helps hunters see what changed, what is weird, and what is less likely to be duplicate.
That sits on top of a broader foundation:
- unified runtime and control plane
- signed evidence bundles and offline verification
- CLI, API, web UI and labs
- MCP and agent-friendly orchestration
Why BOFA
Most hunting setups can execute recon.
BOFA is trying to get better at something harder:
- keeping memory per program
- importing public intelligence and local notes
- building a target graph from surface data
- detecting deltas between snapshots
- scoring novelty and duplicate risk
- turning noisy findings into a short manual review queue
If you are tired of collecting obvious duplicates, that is the part of BOFA to care about first.
Flagship Workflow
- Create a bounty workspace for one program.
- Import scope, disclosed reports, URL lists, Burp sitemap exports, JS endpoints or manual notes.
- Analyze the workspace.
- Review:
What ChangedNovelty QueueDuplicate RiskReview Queue
- Execute skills like
delta_recon,duplicate_risk,surface_regressionormanual_handoff. - Export evidence and keep the runtime history tied to the workspace.
Walkthrough:
Quick Start
Local
git clone https://github.com/descambiado/BOFA
cd BOFA
pip install -r requirements.txt
npm install
./bofa.sh
Frontend
npm run dev
Verification
python tools/verify_runtime_hardening.py
python tools/verify_control_plane.py
python tools/verify_bounty_system.py
npm run build
Main Components
Duplicate-aware bounty
- bounty workspaces
- imports for scope, disclosed reports, URL lists, Burp sitemap, JS endpoints and notes
- target graph
- snapshots and surface deltas
- novelty findings
- duplicate-risk scoring
- clustered review queue
- bounty skills for tactical analysis
Runtime and evidence
- unified runs, steps, labs, events and artifacts
- timeline persistence
- runtime cancellation and retry lineage
- evidence export per run
- signed bundles with offline verification
Interfaces
- CLI for local operation
- FastAPI backend
- React web UI
- MCP server
- security agent with
run_skillsupport
What BOFA Is Not Pretending To Be
BOFA already has useful operational pieces, but this is the honest framing:
- the runtime and evidence layers are the strongest production-facing pieces
- the labs and some educational surfaces are still educational-first
- the bug bounty system is the flagship growth direction
- BOFA does not auto-report to HackerOne
- BOFA does not yet rely on authenticated HackerOne API access
- BOFA does not yet center browser-authenticated crawling in the bounty core
That honesty matters more than hype.
Bounty Skills
Current workspace-native bounty skills include:
program_inteldisclosed_report_graphdelta_reconjs_api_diffauthz_matrixduplicate_riskreport_novelty_gatesurface_regressionmanual_handoff
These are designed for a copilot workflow, not blind autopilot.
Repository Health
Current direction:
- fewer contradictory claims
- more verification
- more workspace memory
- better evidence
- better novelty and duplicate-aware prioritization
Status page:
Changelog:
Responsible Use
Use BOFA only on systems you own or are authorized to assess.
This project is for:
- bug bounty and security research under program rules
- authorized pentesting
- local security labs and learning
- defensive validation and reproducible evidence workflows
Useful Links
Reviews (0)
Sign in to leave a review.
Leave a reviewNo results found