Use this tool to fetch public/private scopes from bug bounty programs and output them in various formats.
Requires Go 1.21 or later.
go install github.com/root4loot/rescope/cmd/rescope@latest
git clone https://github.com/root4loot/rescope.git
cd rescope
docker run --rm -it $(docker build -q .) [options] [<BugBountyURL>...]
Usage:
rescope [options] [<BugBountyURL>...] [-iL <file>] [-eL <file>]
INPUT:
-iL, --include-list file containing list of URLs or custom in-scope definitions (newline separated)
-eL, --exclude-list file containing list of URLs or custom out-of-scope definitions (newline separated)
OUTPUT:
-oF, --output-file output to given file (default: stdout)
OUTPUT FORMAT:
-oT, --output-text output simple text (default)
-oB, --output-burp output Burp Suite Scope (JSON)
-oZ, --output-zap output ZAP Scope (XML)
-oJ, --output-json output JSON
-oJL, --output-json-lines output JSON lines
OUTPUT FILTER:
--filter-expand-ip-ranges output individual IPs instead of IP ranges / CIDRs
AUTHORIZATION:
--auth-bugcrowd bugcrowd secret (_bugcrowd_session=cookie.value) [Optional]
--auth-hackerone hackerone secret (Authorization bearer token) [Optional]
--auth-yeswehack yeswehack secret (Authorization bearer token) [Optional]
--auth-intigriti intigriti secret (see https://app.intigriti.com/researcher/personal-access-tokens) [Optional]
GENERAL:
-c, --concurrency maximum number of concurrent requests (default: 5)
--proxy proxy to use for requests (e.g. 127.0.0.1:8080)
--debug enable debug mode
--version display version
rescope https://hackerone.com/security https://bugcrowd.com/tesla
rescope --output-burp --output-file burp_scope.json https://hackerone.com/security https://bugcrowd.com/tesla
The --include-list
(-iL
) and --exclude-list
(-eL
) options allow you to define custom scope rules that may include wildcard domains, IP ranges, and specific ports.
*.example.com
api.example.com
192.168.1.0/24
10.0.0.1
10.0.0.1:8080
test.example.com
192.168.1.100
You can use these lists to specify which targets should be included or excluded in your scope definitions.
rescope -iL include.txt -eL exclude.txt
You can also pipe a list of bug bounty URLs directly into rescope
using standard input:
cat urls.txt | rescope
This will process the URLs in urls.txt
using the default configuration or any additional flags provided.
package main
import (
"fmt"
"log"
"github.com/root4loot/rescope/pkg/rescope"
)
func main() {
opts := rescope.DefaultOptions()
opts.AuthHackerOne = "your_hackerone_token" // Optional
opts.AuthIntigriti = "your_intigriti_token" // Optional
bugBountyURLs := []string{
"https://hackerone.com/security",
"https://bugcrowd.com/tesla",
}
for _, url := range bugBountyURLs {
result, err := rescope.Run(url, opts)
if err != nil {
log.Printf("Failed to run rescope for URL %s: %v", url, err)
continue
}
fmt.Printf("Results for %s:\n", url)
fmt.Printf("In-Scope: %v\n", result.InScope)
fmt.Printf("Out-Scope: %v\n", result.OutScope)
}
}
- Select Settings -> Project -> Scope
- Click the ⚙︎ icon below the "Target Scope" title and choose "Load settings"
- Select Burp JSON file exported from rescope
- Select File -> Import Context
- Select the ZAP XML file exported from rescope
Contributions are welcome. To contribute, fork the repository, create a new branch, make your changes, and send a pull request.