When Bug bounty findings

Run the When Bug bounty findings check

What middleBrick covers

  • Black-box API scanning with a risk score in under one minute
  • Prioritized findings mapped to OWASP API Top 10 (2023)
  • OpenAPI 3.0/3.1/Swagger 2.0 parsing with spec-to-runtime cross-check
  • Authenticated scans with header allowlist and domain verification
  • CI/CD integration via GitHub Action and MCP Server support
  • Continuous monitoring with diff detection and HMAC-SHA256 signed webhooks

Assess newly discovered API issues quickly

When bug bounty findings appear, you need a fast, reliable way to understand risk without adding infrastructure. Submit the API endpoint or host URL to a black-box scanner and receive a risk score from A to F with prioritized findings within a minute. The scan uses read-only methods such as GET and HEAD, plus text-only POST for LLM probes, so no destructive payloads are sent.

Map findings to recognized security frameworks

Each finding maps to OWASP API Top 10 (2023), and where applicable aligns with PCI-DSS 4.0 and SOC 2 Type II controls. For other regulations, the tool helps you prepare for audits by surfacing findings relevant to frameworks such as HIPAA, GDPR, ISO 27001, NIST, CCPA, and related standards. It does not certify compliance, replace an auditor, or guarantee adherence to any regulatory requirement.

Cover the OWASP API Top 10 with targeted detections

The scanner evaluates 12 categories including Authentication bypass, JWT misconfigurations such as alg=none or expired tokens, BOLA and IDOR via sequential ID enumeration, BFLA and privilege escalation through admin endpoint probing, Property Authorization over-exposure, Input Validation issues like CORS wildcard and dangerous HTTP methods, Rate Limiting and oversized responses, Data Exposure including PII patterns and API key formats, Encryption and HSTS misconfigurations, SSRF via URL-accepting parameters, Inventory issues like missing versioning, and LLM/AI Security through adversarial probes across Quick, Standard, and Deep tiers.

Use OpenAPI analysis to cross-check runtime behavior

It parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution, then cross-references spec definitions against runtime findings. This highlights undefined security schemes, sensitive fields, deprecated operations, and missing pagination, giving you a discrepancy view that supports audit evidence and helps prioritize fixes.

Configure authenticated scans and safe integrations

Authenticated scanning supports Bearer, API key, Basic auth, and Cookie. Domain verification is enforced through DNS TXT records or an HTTP well-known file so only the domain owner can scan with credentials. The scanner forwards a limited header allowlist including Authorization, X-API-Key, Cookie, and X-Custom-* headers. Use the CLI with middlebrick scan <url>, integrate via the GitHub Action as a CI/CD gate, or connect through the MCP Server and API client for custom workflows.

Run this check on your API See all use cases

Frequently Asked Questions

Can the scanner fix the findings it reports?
No. It detects and reports with remediation guidance, but it does not fix, patch, block, or remediate issues.
Does it perform active SQL or command injection testing?
No. It does not perform intrusive payloads such as active SQL injection or command injection, which are outside its scope.
Can it detect business logic vulnerabilities?
It does not detect business logic vulnerabilities, which require human understanding of your domain and application behavior.
What happens to scan data after cancellation?

Related Pages

Tool abuse audit — API securityTool abuse audit: what to check, how to automate it, and how middleBrick covers it.Vendor risk assessment — API securityVendor risk assessment: what to check, how to automate it, and how middleBrick covers it.Webhook receiver hardening — API securityWebhook receiver hardening: what to check, how to automate it, and how middleBrick covers it.