BIPI
BIPI

GitHub Recon for Bug Bounty: Dorks, Leaks, and Org Hunting

Cybersecurity

Engineers leak more on GitHub than on any other surface. Learn the dorks, the org pivots, and the scanners that turn public repos into paid reports.

By Arjun Raghavan, Security & Systems Lead, BIPI · January 21, 2023 · 9 min read

#bug-bounty#github-recon#gitdorker#trufflehog#secrets

GitHub is a recon source, not just a code host

Every product team pushes code, configs, and notes that leak more than the company expects. Targeted GitHub recon turns that habit into reports on HackerOne and Bugcrowd.

Find the orgs and the people

  • Search GitHub for the company name, note official orgs
  • Pull the public member list, identify likely engineers
  • Check personal repos of engineers, they often hold prototypes
  • Track forks of internal looking repos, forks live longer than originals

Build a list of orgs, repos, and users tied to the target. That list is the input to every dork and scanner you run next.

Dorks that pay

  1. target.com password
  2. target.com api_key
  3. target.com authorization bearer
  4. target.com smtp
  5. target.com BEGIN RSA PRIVATE KEY
  6. filename:.env target.com
  7. filename:config.json target.com

Automate with care

gitdorker runs a dork list against the GitHub API with your token. Use it on a list of target keywords. Respect rate limits. Save results per dork, so you can re run only the new hits next time.

Scan repos with trufflehog and gitleaks

  • trufflehog github --org target-org with --only-verified
  • gitleaks detect on cloned repos for offline review
  • noseyparker for entropy based detection of unusual strings
  • Always run on git history, not just current HEAD

Where the real wins hide

History
secrets removed but not rewritten
Forks
leaks survive long after parent fixes
Gists
personal pastes by employees
Wikis
rarely audited, often exposed

Validate before you report

A leaked key is only a finding if it works. Test it in the appropriate API with a benign read call. Note exactly what the key can access. The report should answer the triager's first question before they ask it.

GitHub recon is not luck. It is a checklist applied to a known org list, run on a schedule, and tuned every week.

Schedule and diff

  • Run gitdorker weekly on your dork and target lists
  • Watch new commits to known company orgs
  • Alert on new public repos in tracked orgs
  • Keep a redacted log of validated finds for your own learning

Report cleanly

When you do file, include the commit SHA, the file path, the exact line, and proof the credential worked. Mark the report sensitive, never paste the secret in plaintext. Programs reward speed and clarity. Both come from a disciplined pipeline, not from lucky greps.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.