Everyone was scanning websites. I focused on GitHub repos — and built a Bash pipeline that helped me uncover broken links others missed.

In 2021, I focused on one bug class that most bounty hunters eventually explore: broken link hijacking.

I started like everyone else — scanning websites, footers, and social media links for outdated resources. Some were vulnerable to takeover (S3 buckets, GCP, GitHub pages). I earned a few bounties, but I quickly realized the space was crowded. Too many people were chasing the same low-hanging fruit.

So I began looking elsewhere — where fewer people were hunting.

Since I was very active on GitHub at the time (mostly contributing to open source), I started wondering:

“Why not scan GitHub repositories for broken links?”

After all, repos are full of:

• Documentation with outdated URLs
• CI/CD or install scripts referencing old assets
• External services like S3, GCP, or GitHub Pages

And the best part: not many hunters were targeting this surface at scale.

Initially, I tried GitHub’s search. But I quickly ran into problems:

• You can’t search the full content of large repos.
• Results are incomplete and inconsistent.
• GitHub’s API limits made automation painful.

So I took the search offline.

I built a basic but powerful Bash pipeline:

1. Clone all repos of a GitHub organization locally.
2. Recursively scan all files using regex to extract URLs.
3. Run HTTP calls on each URL to detect 404 or 410 responses.

I bundled the scripts into a tool you can find here:

👉 github.com/arshadkazmi42/github-scanner-local

Nothing fancy — just local cloning and smart grep — but it worked.

I started running this on GitHub orgs in bug bounty programs and saw solid returns:

• Most orgs had at least one broken link.
• Around 70–80% of my reports were accepted.
• Bounties ranged from $100 to $1,500.
• A few outliers fetched more, especially when asset hijacking or takeover was possible.

This approach alone helped me earn over $20,000 in accepted bug bounty rewards.