inventory
Inventory is a curated, automatically-updated dataset of 800+ public bug bounty programs with DNS and web server metadata. It aggregates program data from multiple sources, runs periodic reconnaissance workflows, and publishes findings to help bug bounty hunters and security teams track assets.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | trickest/inventory |
| Owner | trickest |
| Primary language | Shell |
| License | MIT — OSI-approved |
| Stars | 1.6k |
| Forks | 282 |
| Open issues | 10 |
| Latest release | Unknown |
| Last updated | 2025-02-14 |
| Source | https://github.com/trickest/inventory |
What inventory is
Shell-based project that consolidates bug bounty program data via Python scripts, then executes distributed reconnaissance workflows (subfinder, vita, findomain, puredns, dsieve, alterx) to enumerate subdomains, resolve DNS, generate permutations, and produce csv reports of hostnames and HTTP servers.
Get the inventory source
Clone the repository and explore it locally.
git clone https://github.com/trickest/inventory.gitcd inventory# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Data is published as JSON files (targets.json, community.json) and csv reports; no API endpoint is documented. Integration requires file downloads or git clone polling.
- Workflow reproduction depends on external tools (projectdiscovery suite, findomain, vita, dsieve, alterx, anew) and resolver infrastructure; ensure dependency versions align and resolver lists are current.
- Community submissions are accepted via PR to community.json, so data quality and correctness depend on contributor vetting; validate critical entries independently before operational use.
- The project is hosted on GitHub and GitHub Actions; reliance on GitHub availability and CI quota for periodic updates is implicit.
- Enumeration scope and wordlists (level2.txt) are maintained by Trickest and linked externally; changes to wordlists or tool versions may alter result consistency over time.
When to avoid it — and what to weigh
- Proprietary or Non-Public Bug Bounty Programs — This dataset covers only public programs. Private/invitation-only bounties are not included, limiting utility for organizations that do not operate public programs.
- Real-Time or Sub-Hourly Asset Updates Required — The workflows run on a schedule; exact frequency is not documented. If you need live or near-instantaneous asset discovery, this repository alone may not meet SLA requirements.
- Need for Verified, Liability-Safe Scope Data — While the project aims for accuracy, there is no explicit SLA, verification process, or liability framework. Use for internal research only; do not rely solely for official scope authorization without primary source confirmation.
- Standalone Tool Deployment Without Customization — The repository is a data artifact and workflow documentation, not a packaged CLI/API. Reproducing the workflows requires setting up external tools (subfinder, puredns, etc.) and container/CI orchestration; it is not a plug-and-play application.
License & commercial use
MIT License. Permissive, OSI-approved. Allows use, modification, and redistribution for any purpose (including commercial) provided the license and copyright notice are retained.
MIT is a permissive OSI license that permits commercial use, but this is reference data and workflow documentation, not a finished product. Commercial organizations can use the dataset for internal security operations, research, and tooling. However, licensing does not imply support, warranties, or SLA; obtain external support or indemnity if required for regulated/critical environments.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | High |
| DEV.co fit | Good |
| Assessment confidence | High |
The project performs enumeration and publishes resolved hostnames and HTTP server metadata for public bug bounty scopes. This is intended behavior for public programs but could inadvertently expose assets if data is stale or if scope boundaries are misunderstood. Consumers should: (1) verify scope against primary source before assuming an asset is in-scope for testing; (2) be aware that enumeration results reflect a point-in-time snapshot and may miss recently-added or recently-removed assets; (3) treat csv outputs as reconnaissance intelligence, not definitive authorization. No security audit, signed releases, or vulnerability disclosure policy is documented.
Alternatives to consider
Bounty Targets Data (arkadiyt/bounty-targets-data)
Upstream data source used by Inventory; provides raw bug bounty program metadata. Use if you prefer direct access to source data or want to apply custom transformation logic.
Chaos Public Bug Bounty Programs (projectdiscovery/public-bugbounty-programs)
Another upstream source aggregated by Inventory. Offers program data in a different format; useful if you need to cross-reference or validate program scope independently.
Custom Reconnaissance Workflow (DIY)
If you need real-time, highly-customized enumeration for private or niche programs, or if you want full control over tool versions and wordlists, building your own workflow using the documented approach (subfinder, puredns, dnsx, httpx) may be more suitable than relying on Inventory updates.
Build on inventory with DEV.co software developers
Use Inventory's consolidated data and workflow architecture to identify assets faster. Fork the repository, adapt the workflows, or reference the data in your security operations.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
inventory FAQ
How often is the asset data updated?
Can I use this data to test a bug bounty program I operate?
Is there an API or programmatic way to access the data?
What if I find an error or want to add a program?
Software development & web development with DEV.co
Adopting inventory is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source security software in production.
Streamline Your Bug Bounty Reconnaissance
Use Inventory's consolidated data and workflow architecture to identify assets faster. Fork the repository, adapt the workflows, or reference the data in your security operations.