DEV.co
Open-Source Security · trickest

inventory

Inventory is a curated, automatically-updated dataset of 800+ public bug bounty programs with DNS and web server metadata. It aggregates program data from multiple sources, runs periodic reconnaissance workflows, and publishes findings to help bug bounty hunters and security teams track assets.

Source: GitHub — github.com/trickest/inventory
1.6k
GitHub stars
282
Forks
Shell
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorytrickest/inventory
Ownertrickest
Primary languageShell
LicenseMIT — OSI-approved
Stars1.6k
Forks282
Open issues10
Latest releaseUnknown
Last updated2025-02-14
Sourcehttps://github.com/trickest/inventory

What inventory is

Shell-based project that consolidates bug bounty program data via Python scripts, then executes distributed reconnaissance workflows (subfinder, vita, findomain, puredns, dsieve, alterx) to enumerate subdomains, resolve DNS, generate permutations, and produce csv reports of hostnames and HTTP servers.

Quickstart

Get the inventory source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/trickest/inventory.gitcd inventory# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Bug Bounty Program Reconnaissance

Security researchers and bug bounty hunters can use the consolidated targets.json and periodically-updated DNS/HTTP reports to quickly identify new assets and scope for public programs without running their own enumeration.

Attack Surface Visibility for Security Teams

Organizations operating public bug bounty programs can reference the automatically-generated reports to discover unintended or newly-added assets exposed under their scope, reducing surprise findings from hunters.

OSINT and Reconnaissance Workflow Template

Security engineers can study and adapt the documented workflow architecture (passive enumeration, active bruteforce, permutations, reporting) as a reference for building their own scalable reconnaissance pipelines.

Implementation considerations

  • Data is published as JSON files (targets.json, community.json) and csv reports; no API endpoint is documented. Integration requires file downloads or git clone polling.
  • Workflow reproduction depends on external tools (projectdiscovery suite, findomain, vita, dsieve, alterx, anew) and resolver infrastructure; ensure dependency versions align and resolver lists are current.
  • Community submissions are accepted via PR to community.json, so data quality and correctness depend on contributor vetting; validate critical entries independently before operational use.
  • The project is hosted on GitHub and GitHub Actions; reliance on GitHub availability and CI quota for periodic updates is implicit.
  • Enumeration scope and wordlists (level2.txt) are maintained by Trickest and linked externally; changes to wordlists or tool versions may alter result consistency over time.

When to avoid it — and what to weigh

  • Proprietary or Non-Public Bug Bounty Programs — This dataset covers only public programs. Private/invitation-only bounties are not included, limiting utility for organizations that do not operate public programs.
  • Real-Time or Sub-Hourly Asset Updates Required — The workflows run on a schedule; exact frequency is not documented. If you need live or near-instantaneous asset discovery, this repository alone may not meet SLA requirements.
  • Need for Verified, Liability-Safe Scope Data — While the project aims for accuracy, there is no explicit SLA, verification process, or liability framework. Use for internal research only; do not rely solely for official scope authorization without primary source confirmation.
  • Standalone Tool Deployment Without Customization — The repository is a data artifact and workflow documentation, not a packaged CLI/API. Reproducing the workflows requires setting up external tools (subfinder, puredns, etc.) and container/CI orchestration; it is not a plug-and-play application.

License & commercial use

MIT License. Permissive, OSI-approved. Allows use, modification, and redistribution for any purpose (including commercial) provided the license and copyright notice are retained.

MIT is a permissive OSI license that permits commercial use, but this is reference data and workflow documentation, not a finished product. Commercial organizations can use the dataset for internal security operations, research, and tooling. However, licensing does not imply support, warranties, or SLA; obtain external support or indemnity if required for regulated/critical environments.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityHigh
DEV.co fitGood
Assessment confidenceHigh
Security considerations

The project performs enumeration and publishes resolved hostnames and HTTP server metadata for public bug bounty scopes. This is intended behavior for public programs but could inadvertently expose assets if data is stale or if scope boundaries are misunderstood. Consumers should: (1) verify scope against primary source before assuming an asset is in-scope for testing; (2) be aware that enumeration results reflect a point-in-time snapshot and may miss recently-added or recently-removed assets; (3) treat csv outputs as reconnaissance intelligence, not definitive authorization. No security audit, signed releases, or vulnerability disclosure policy is documented.

Alternatives to consider

Bounty Targets Data (arkadiyt/bounty-targets-data)

Upstream data source used by Inventory; provides raw bug bounty program metadata. Use if you prefer direct access to source data or want to apply custom transformation logic.

Chaos Public Bug Bounty Programs (projectdiscovery/public-bugbounty-programs)

Another upstream source aggregated by Inventory. Offers program data in a different format; useful if you need to cross-reference or validate program scope independently.

Custom Reconnaissance Workflow (DIY)

If you need real-time, highly-customized enumeration for private or niche programs, or if you want full control over tool versions and wordlists, building your own workflow using the documented approach (subfinder, puredns, dnsx, httpx) may be more suitable than relying on Inventory updates.

Software development agency

Build on inventory with DEV.co software developers

Use Inventory's consolidated data and workflow architecture to identify assets faster. Fork the repository, adapt the workflows, or reference the data in your security operations.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

inventory FAQ

How often is the asset data updated?
Not clearly stated in the documentation. The README indicates workflows run 'on schedule' and that the project is actively maintained (last push 2025-02-14), but exact frequency (daily, weekly, monthly) is not specified. Contact the maintainers or review GitHub Actions history for empirical update cadence.
Can I use this data to test a bug bounty program I operate?
Yes, if your program is public and listed in targets.json or the aggregated sources. The generated reports (dns-report.csv, server-report.csv) can help you discover unintended assets within your scope. Always verify against your authoritative scope documentation before assuming in-scope status.
Is there an API or programmatic way to access the data?
No documented API. Data is published as JSON and CSV files in the GitHub repository. Integration requires git clone, file polling, or manual downloads. A commercial offering (Trickest platform) is mentioned in the README but is separate from this open-source repository.
What if I find an error or want to add a program?
Contributions are welcome via PR to community.json or by tweeting @trick3st or joining the Discord. The README encourages community submissions. Note that the primary targets.json is auto-generated from upstream sources; adding to community.json is the prescribed contribution path.

Software development & web development with DEV.co

Adopting inventory is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source security software in production.

Streamline Your Bug Bounty Reconnaissance

Use Inventory's consolidated data and workflow architecture to identify assets faster. Fork the repository, adapt the workflows, or reference the data in your security operations.