evidence-hygiene

What problem does it solve?

It prevents bug-bounty evidence from leaking session cookies, authorization tokens, and other users’ personally identifiable information (PII) by enforcing a repeatable capture-and-redaction discipline before screenshots or HARs are attached.

Core Features & Use Cases

• Cookie redaction protocol: Masks session-bearing cookies and Authorization/CSRF secrets while allowing triager-useful metadata like trace IDs and correlation headers.
• PII black-bar discipline: Distinguishes between other-user PII that must be redacted (names, emails, phones, faces) and non-sensitive proof elements that can remain visible (field keys, shapes, your attacker-session identifiers).
• HAR sanitization: Provides jq-based header and cookie-stripping patterns to remove Cookie/Authorization/Set-Cookie values prior to attachment.
• Screenshot hygiene for Burp and DevTools: Recommends hiding request bodies, capturing only the Results table where appropriate, and using clean DevTools Console PoC patterns that avoid echoing sensitive credentials.
• Evidence workflow guardrails: Enforces pre-capture checklists, screenshot capture order, filename conventions, and post-submission rotation hygiene to ensure captured secrets are invalidated.

Quick Start

Use the evidence-hygiene skill before capturing any screenshot or exporting a HAR for a bug-bounty submission so that all session cookies and any other-user PII are redacted according to the protocol.