Skip to main content
VaultInternal

Bug-Bounty Operator — Product Requirements Document

Full operating PRD for the bug-bounty operator practice. Unlisted — routable by URL, but not in search, nav, feeds, llms.txt, or MCP.

stable
View raw

This page is the full operating PRD for the bug-bounty operator practice, mirrored verbatim from _bmad-output/planning-artifacts/prd.md. It is unlisted — routable by URL, but excluded from search, nav, feeds, the llms.txt surfaces, and the MCP tool inventory. The live operating view — current sprint, next gate, active risks, streak — renders first, below.

Supersession note (2026-04-21). The PRD below references fardin.sh as the public research brand. After shipping, that decision was reversed: fardiniqbal.com is the canonical surface, and the bug-bounty practice lives at /docs/craft/initiatives/bug-bounty with writeups under /docs/craft/writeups. A second site would split the queryable single-source-of-truth the portfolio is built to be. The live operating data in src/data/initiatives/bug-bounty.ts reflects this; wherever the PRD prose below says fardin.sh, read it as fardiniqbal.com on the current surface.

Active initiative

Full page →

Bug-Bounty Operator Practice

A single-operator offensive-security practice. Research is the product. Content is the distribution. Skills are the features. Reputation is the asset.

North star

Freedom capital — months-of-runway stacked per quarter. Not income replacement. Day job is the subsidy, not the enemy.

Current sprint

Sprint 0 — Next 7 Days0/7 shipped7 overdue
  • Day 1 · Apr 21, 2026X handle + manifesto draft + accounting baselineClaim X handle, set bio to the axiom, draft one-page manifesto (already 90% seeded by the public initiative page), open 30% tax reserve account. No separate domain — fardiniqbal.com/docs/craft/initiatives/bug-bounty is the public surface.
  • Day 2 · Apr 22, 2026Publish manifesto. Platform profiles. First X post.Manifesto lives at fardiniqbal.com/docs/craft/initiatives/bug-bounty. Register HackerOne, Bugcrowd, Intigriti, YesWeHack, Immunefi. First X post links the manifesto as commitment device.
  • Day 3 · Apr 23, 2026Pick Week-0 target. Install Burp + MCP + shuvonsec/claude-bug-bounty.GitHub-org recon dorks on chosen target, in-scope only.
  • Day 4 · Apr 24, 2026Track A recon on Week-0 target. Draft sector-niche shortlist.Build the pipeline, not the report. No submission yet.
  • Day 5 · Apr 25, 2026Enroll pwn.college CSE 466. First module done. Block weekend Track B.
  • Day 6 · Apr 26, 2026X Week-1 update. Add writeup-template v0 under craft/writeups.Specific, not hype. Writeup infrastructure lives at fardiniqbal.com/docs/craft/writeups — template MDX committed even empty, so the surface exists before first bounty.
  • Day 7 · Apr 27, 2026Professor outreach. Week-1 retro. Sector niche locked. LLC note.

Next kill-switch gate

M3in 66 days
  • ≥1 bounty disclosed AND published writeup within 14 days, OR
  • surface switched (H1-public → Intigriti-EU / Synack) before strategy switched
  • Immunefi onboarded + ≥1 audit-contest entry
  • planning-artifacts : disclosed-bounties ratio not > 3:0 (LARP drift check)

On failure: Switch surface before switching strategy. If LARP ratio triggered, stop all planning, execute only until a bounty ships.

Risks to watch

  • LARP driftamber

    Indicator: Planning-artifacts : disclosed-bounties > 3:0 at M3

    Sprint 0 opens with 5 planning artifacts and 0 disclosed bounties. Ratio is acceptable during Sprint 0 but tightens fast after Day 7.

Practice streak

Current 0Best 0Last Apr 21, 2026

Sprint 0 Day 1 today. Daily floor (≥30 min, ≥5 days/week) begins with first execution day.

Product Requirements Document — bug-bounty

Author: Fardiniqbal Date: 2026-04-19

Executive Summary

Fardin Iqbal is being built as a single-operator offensive-security practice positioned for the 2026 bug-bounty market bifurcation. Autonomous AI pentest platforms (XBOW $1B+, RunSybil $40M Series A) are absorbing commodity web-bug volume while vendor-direct payouts have gone vertical (Apple $5M+, Google +40% YoY, top Chrome VRP hunter $811K in 2025) and platforms have hardened against AI-slop submissions (Bugcrowd 10-strikes → permanent ban; HackerOne IBB pause; curl shut its program Feb 1, 2026). In this market a generic "bug bounty hunter" is a losing product; a research-grade human operator — AI-leveraged, vendor-direct, chain-hunting, writeup-compounding, surface-niched — is winning.

Target state (Y3): quiet-primary 0-Day Operator with loud-secondary public surface. Published CVE portfolio (≥1 vendor-direct high-severity + ≥1 0-day target initiated). ~$60K+/yr bounty floor with realistic path to $100K–$300K across vendor-direct + audit-contest + AI-security surfaces. Public research brand at fardin.sh. ≥1 OSS security tool with meaningful adoption. Paid product / course as secondary income. Day job optional. BSides talk delivered.

V1 horizon (the real commitment gated by this PRD): Month 12. Y2 / Y3 are stretch directional targets. Y1 is the product's V1. Success is kill-switch-gated at M3 / M6 / M12 — not revenue-maximized.

North star: freedom capital in months-of-runway stacked per quarter. Not income replacement. Day job is the subsidy, not the enemy. No quit until $300K banked or 18 months runway.

Three parallel product lines (not sequential):

  • Track A — Fear-Killer (M1–M12). Web bounties on H1 + Bugcrowd + Intigriti + YesWeHack rotation. Sector-niched by M2. Vendor-direct submission hygiene M2, first real vendor-direct submission M4. Immunefi + Code4rena + Sherlock audit-contest layer by M3. Target run-rate ~$60K/yr; kill-switch floor $15K at M12. Track A is means, not identity — $60K at M12 with no Track B or Track C progress is a failed V1.
  • Track B — 0-Day Operator (M1–M36, compounding identity). pwn.college CSE 466 Orange Belt from Week 2. V8 / kernel source-reading by M4. First fuzzing campaign M12. First 0-day CVE target M24–30. Weekend-marathon cadence.
  • Track C — Loud Secondary (M1–∞, reputation compounding). fardin.sh + X live Week 1. Public writeup within 14 days of every disclosed bounty. One OSS security tool per quarter (AI-adjacent gap only; not head-on autonomous-pentest). BSides talk M8. Paid product / course M18+.

Primary buyers: vendor-direct programs (MSRC / Google VRP / Chrome VRP / Android / Apple Security / ZDI — real revenue surface by Y2); premium platforms (H1 / Bugcrowd / Intigriti / YesWeHack — Track A bread-and-butter); Web3 (Immunefi tail-heavy + Code4rena / Sherlock / Cantina audit contests); AI-security (Anthropic / Google AI VRP / OpenAI / Huntr — fastest-growing segment, +210% YoY H1 AI reports). Y2+ adds consulting, course buyers, sponsors. NahamSec ~50/25/25 bounty / content / consulting = validated income mix.

Primary beneficiaries: vendor security teams, open-source maintainers, AI-safety teams, end users of those products. Code-of-conduct: dangerous to systems, not humans. Every disclosure coordinated. Every PoC minimum-reproducer. Every boundary documented.

The problem this practice resolves. The ambient path for a CS graduate is employment — the employer owns the causal chain skill→outcome. That path already failed on two axes for this operator: work killed aliveness (boredom axis), and the chain is broken (employment = beholden). Existing alternatives don't close the gap: (a) public-program grinding produces commodity volume autonomous agents now do better; (b) influencer-first creator careers decouple from capability; (c) broker sales are criminally prosecuted post-Operation Zero (Oct 2025) and strategically foreclosed by the reputation-is-the-asset axiom; (d) "quit the job and go solo" trades real runway for fake agency and wrecks 0-day research, which has long dry spells. No packaged path exists for the identity being aimed at — the quiet mercenary with a public shell, income compounding across bounty + research + rep + tooling, with an unbroken causal chain from skill to outcome.

What Makes This Special

The moat is the intersection, not any single leg. Each leg alone is commodity; the combination is defensible:

  • Against autonomous AI agents (XBOW, RunSybil): concentrate on surfaces they demonstrably underperform on — DOM XSS (XBOW solved 57%), blind SQLi (0%), multi-step authorization chains, business-logic exploitation, binary, Web3 logic bugs, indirect prompt injection. Chain-hunting, not point-finding. Vendor-direct, not H1-public commodity.
  • Against influencer-first creators: research is the product; content is the distribution. Every writeup is an output of real work, not the reason for it. Nicholas Carlini's Claude-assisted kernel CVE credits and Sam Curry's writeup arc are the reference — not lifestyle-content accounts.
  • Against employed security engineers: unbroken causal chain. Legible output (CVEs, repos, talks, PoCs) exists independent of any employer.
  • Against other solo hunters: AI workstation live Day 1 (Claude Code + shuvonsec/claude-bug-bounty + Burp MCP; GhidraMCP / Decyx M2–3), not Month 6. Sector niche by M2, not "general hunter." Vendor-direct by M4, not "someday." Writeup cadence from bounty #1, not after five.

Core insight — the 2026 bifurcation bet. The bug-bounty market is bifurcating. Commodity web volume → autonomous agents. Premium surfaces (vendor-direct, audit contests, AI-security, 0-day) need scarce human operators who ship quality, not volume. The right product to build in 2026 is the researcher whose report a program manager actually wants to open. The wrong product is the generic H1 hunter.

Why now:

  • Vendor-direct ceilings vertical (Apple $5M+, Google +40% YoY 2025, top Chrome VRP hunter $811K, MSRC $17M/2025).
  • AI-security bounties exploding (+210% YoY H1 AI reports; Anthropic $35K/jailbreak, Google AI VRP $30K).
  • Platforms hardening against AI-slop — legible human operators get premium.
  • EU CRA Sep 11, 2026: mandatory coordinated-disclosure channels open; full obligations Dec 11, 2027 — pre-positioning window live.
  • Claude Code 1M-token context + MCP ecosystem — solo-operator scale never before possible.

Structural unfair advantages: mass AI context (Claude Code 1M tokens as working memory), intermediate CS foundation, activatable professor network, day job as 18-month runway. The structural edge is cadence — shipping a 14-day writeup and a quarterly tool while the field debates whether AI counts as cheating.

Non-negotiable positioning axiom (overrides every tactical preference in this PRD): Research is the product. Content is the distribution. Skills are the features. Reputation is the asset. If a decision routes content / influencer / attention ahead of research / capability / legibility, it is wrong regardless of short-term metrics.

Load-bearing gates (first-class in this PRD, enforced at every sprint):

  • No talk, no podcast, no paid product before ≥1 disclosed bounty + published writeup exist.
  • Track A revenue without Track B + C progress = failed V1.
  • No broker sales. Non-negotiable. Operation Zero (Oct 2025) is the reference case.
  • No unverified AI submissions on any platform. Policy-compliant use only.
  • No quitting the day job before $300K banked or 18 months runway.
  • No "general hunter" positioning. Sector-niche or die.

Project Classification

  • Project Type: human_as_product / solo_research_practice (custom — standard project-type CSV does not fit; features are skills, distribution is writeups / OSS / talks, revenue is bounties + audits + Y2 consulting).
  • Domain: offensive_security / vuln_research (custom hybrid; closest CSV analog scientific for research-first posture, but regulatory surface is fintech-level hot — Operation Zero Oct 2025 criminal prosecution, EU CRA Sep 2026 coordinated-disclosure regime, platform AI-slop ban policies, DMCA §1201 AI-bias exemption denied, Schedule C / SEP-IRA / LLC tax surface from Day 1).
  • Complexity: high — live-moving regulatory surface, compounding skill stack (web → binary → browser → kernel → fuzzing → 0-day), market mid-disruption (XBOW / RunSybil absorbing commodity volume), reputation legally load-bearing (one bad submission ends the practice).
  • Project Context: greenfield — no existing practice, no shipped output yet, first bounty not submitted. Brief + distillate + PRFAQ + domain research + brainstorm provide upstream context; no operational artifacts exist.

Success Criteria

User Success

Primary user — Fardin-as-operator:

  • M3 aha moment: first disclosed bounty resolved + writeup published within 14 days. The chain works — skill → submission → payout → public artifact, no intermediary.
  • M6 aha moment: Claude Code workstation demonstrably removes ≥50% of recon/triage grind while staying platform-policy-compliant.
  • M12 aha moment: ≥$15K earned AND ≥1 Track B binary-exploitation artifact shipped (pwn.college Orange Belt done + ≥1 public fuzzing / reversing writeup).
  • Emotional success: fear-of-being-fired gone. Work stays alive (boredom-axis filter passing at every monthly review). Day job = subsidy, not prison.
  • V1 completion signal (M12): operator looks at the year's artifacts and says "this work is legibly mine — it wouldn't exist without me, and it continues to exist regardless of any employer."

Secondary user — vendor security teams / program managers:

  • Every submission: minimum-reproducer PoC + severity justification + coordinated-disclosure timeline + writeup draft under embargo.
  • Triage time on a Fardin-submitted report < queue average.
  • Reporter name / CVE portfolio recognized on inbound → top of queue.
  • Zero AI-slop, zero dupes, zero scope violations.

Business Success

Financial (kill-switch-gated, not target-maximized):

  • M3: ≥1 bounty OR surface switch (H1-public → Intigriti-EU / Synack). Failing both → surface-selection is the diagnosis, strategy still viable.
  • M6: cumulative earnings tracking toward M12 floor (≥$3–5K trailing). Claude Code saves ≥50% recon/triage time AND zero platform-policy violations.
  • M12: ≥$15K earned AND not 100% low-severity commodity H1-public (must include ≥1 vendor-direct attempt, ≥1 audit-contest entry, or ≥1 AI-security submission).
  • Stretch run-rate: ~$60K/yr at M12–M18. Y2 path to $100K. Y3 path to $100K–$300K.
  • Cash-out discipline: every bounty auto-split 50% brokerage / 25% SEP-IRA / 25% tools+consulting. LLC at ~$30K gross. Schedule C + 30% tax reserve from Day 1.
  • North-star metric (overrides revenue if they disagree): months-of-runway stacked per quarter. Y1 target: +6–9 months added.

Identity / legibility:

  • Y1: CVE portfolio ≥1 public entry; writeup archive ≥3 published; ≥1 OSS tool shipped; pwn.college CSE 466 Orange Belt complete.
  • Y2: first vendor-direct CVE; BSides talk delivered (gated: ≥1 bounty + writeup); ≥4 OSS tools shipped.
  • Y3: first 0-day CVE in progress or initiated; paid product / course generating secondary income; consulting inbound exists.

Reputation / legal-compliance (non-negotiable, measured every sprint):

  • Zero illegal moves — lifetime. No broker sales. No AI-slop. No program-scope violations.
  • Zero platform strikes across H1 / Bugcrowd / Intigriti / YesWeHack / Immunefi.
  • 100% disclosed bounties → public writeup within 14 days of resolution.
  • 100% coordinated-disclosure compliance with ISO 29147 / 30111 / CISA CVD.

Technical Success

Tooling spine (V1 ready Day 7): Claude Code + shuvonsec/claude-bug-bounty + Burp Community + Burp MCP + GitHub-dorks scripts. M2–M3: GhidraMCP + Decyx. Every AI finding human-verified. Zero unverified submissions.

Skill stack:

  • Web (Track A): sector-niche fluency by M2 (fintech / devtools / infra). Chain-hunting + business-logic chops ≥ commodity IDOR volume by M6.
  • Binary (Track B): pwn.college Orange Belt by M6. V8 / kernel source-reading routine by M4. First fuzzing campaign M12.
  • Web3 (Track A+): Immunefi-ready by M3 (Solidity + ≥1 audit-contest entry).
  • AI-security: OWASP LLM top-10 fluency + ≥1 indirect prompt injection attempt by M6.

Research / output infrastructure:

  • fardin.sh live Week 1 with manifesto + writeup templates + CVE portfolio page.
  • Writeup template: minimum-reproducer PoC + severity justification + invariant violated + reconstructable methodology.
  • OSS tool cadence: 1/quarter. Repo per tool with README, install, MIT license. Adoption: ≥1 external contributor or ≥50 stars on Q4 tool.

Policy compliance (legally load-bearing):

  • Every platform account in good standing.
  • Every submission inside documented program scope.
  • Every disclosure coordinated, embargo honored.
  • Zero AI-bias research outside program authorization.

Measurable Outcomes

  • Weekly: ≥5 days/week × ≥30 min focused practice; ≥1 GitHub-org recon per active target; weekend with Track B work = binary-marathon success.
  • Monthly: ≥30 days-in-market per vuln class before context-switching; ≥1 writeup draft in progress; pain-log entries (8-week rolling); X monthly update posted.
  • Quarterly: ≥1 OSS tool shipped; ≥3 disclosed bounties OR ≥1 vendor-direct submission (M4+) OR ≥1 audit-contest entry (M3+); runway delta ≥+1.5 months.
  • M3 / M6 / M12: as above.

Product Scope

MVP (V1 target: M12)

  1. Claude Code workstation operational — Day 7.
  2. Five platform profiles active — Week 1. Sector-niche target by M2.
  3. fardin.sh + X live — Week 1. One-page manifesto.
  4. pwn.college enrolled — Day 5. Orange Belt by M6.
  5. First disclosed bounty + writeup shipped — by M3 or surface-switch.
  6. First vendor-direct submission attempt — M4.
  7. First audit-contest entry — M3.
  8. First OSS security tool shipped — Q1 end.
  9. Tax / legal baseline — Day 1. Schedule C, 30% reserve, LLC note at $30K.
  10. Writeup cadence active — 14-day max turnaround.
  11. M3 / M6 / M12 reviews calendar-blocked with criteria.
  12. Policy-compliance checklist — AI-usage disclosure + scope confirmation per submission.

Out of MVP: BSides talk (M8+, gated); paid product (M18+); consulting (Y2+); quitting day job; 0-day research beyond pwn.college + source-reading.

Growth (M12–M24)

  • Vendor-direct ≥50% of revenue by M18 (MSRC / Google VRP / Chrome / Android / Apple / ZDI).
  • Track B first fuzzing campaign complete M12; published harness + findings.
  • Sector-niche authority: nuclei library + ≥3 sector writeups by M18.
  • AI-security leg: ≥1 Anthropic / Google AI VRP / OpenAI disclosed finding by M15.
  • BSides talk shipped M8–M12.
  • First paid product / course shipped M18+ — derivative of writeups + tooling, not standalone content play.
  • Consulting onboard Y2 — retainer-only, capped hours.
  • Automated income-split pipeline live.

Vision (Y3+)

  • First 0-day CVE landed (M24–30). Vendor-direct, high-severity, coordinated disclosure.
  • CVE portfolio as commercial asset — recognizable in ≥3 vendor program queues.
  • OSS tool ≥1K stars or external contributor traction.
  • Revenue mix matches NahamSec template: ~50/25/25 bounty / content / consulting.
  • Day job optional: $300K banked or 18mo runway.
  • EU CRA disclosure wave captured — first-mover filings after Sep 11 2026.
  • Black Hat / DEF CON submission credible.
  • Runway ≥24 months stacked per year.

Operating Principles (the 12 Bold Moves, canonical form)

All 12 are research-confirmed. Applied at every sprint review.

  1. pwn.college from Week 2 — binary track starts parallel, not "later." GhidraMCP + Decyx by M2–M3.
  2. Writeup within 14 days of every disclosed bounty. Non-negotiable.
  3. Automated cash-out 50/25/25 — brokerage / SEP-IRA / tools+consulting. Every inflow.
  4. One OSS tool per quarter — AI-adjacent gaps only (binary-first Claude skills, sector-specific nuclei, writeup-to-skill compilers). Never head-on autonomous-pentest — XBOW / RunSybil own that.
  5. GitHub-org recon Day 1 of every target. Dorks running before anything else.
  6. Vendor-direct by M4 — hygiene M2–M3. Consider M2–M3 pull-forward if capability permits.
  7. Sector niche by M2 — fintech / devtools / infra. Financial + gov highest median P1.
  8. Immunefi + Code4rena + Sherlock + Cantina by M3 as variance hedge.
  9. Weekend marathons for binary — not daily drips.
  10. Pain-log 8 weeks before building any SaaS.
  11. Public disclosure requested on every resolved bounty.
  12. Collaborator + accountability + IRL meetup by M3.

Risk Register & Kill-Switches

Monthly review against each risk. Triggered action, not optional.

RiskLeading indicatorTriggerAction
Surface mismatch (Track A)M3 with 0 bounties and no plausible M6 resolutionM3 gate failsSwitch surface (H1-public → Intigriti-EU / Synack) before switching strategy.
AI workflow incompatible with policyM6 with <50% grind-reduction OR any policy strikeM6 gate failsRedesign Track A workflow. No mass-submit.
Losing to autonomous agents on H1-publicM12 with 100% low-severity commodity earningsM12 gate failsForce-move to vendor-direct / AI-security / Web3 audit contests.
LARP driftPlanning-artifacts : disclosed-bounties > 3:0 at M3M3 ratioStop all planning. Execute only until a bounty ships.
Broker temptationAny considerationFirst instanceKill the practice. Start different one. Operation Zero (Oct 2025) = reference.
AI-slop submissionAnyFirst instancePlatform strike accumulates; second instance on any platform ends Track A on that platform.
Scope violation / DMCA §1201Any out-of-scope researchFirst instanceStop, document, disclose internally. Repeat → legal exposure.
Day job pressure to quit earlyAny consideration before $300K / 18moFirst instanceReject. Anti-Solution axiom #2.
Boredom axis firesMonthly reviewTrack A surface producing dev-style repetitionForce-shift toward binary / 0-day / AI-security. Not out of bug bounty.
Influencer driftTalk / podcast / paid-product attempt before ≥1 bounty + writeupAny attemptHard block. Axiom enforcement.

Operating Cadence

  • Daily floor: 30 min focused practice, ≥5 days/week. Streak tracked on fardin.sh public page.
  • Weekend: Track B binary marathon (≥3 hr block). Tooling Sunday (OSS tool work).
  • Weekly: X update posted. Backlog grooming. Target-rotation review.
  • Monthly: KPI review against risk register. Runway delta calculated. Writeup queue audit. Pain-log entry.
  • Quarterly: OSS tool shipped. Sector review. Kill-switch check if milestone quarter (M3 / M6 / M12). Cash-out split executed.
  • M3 / M6 / M12: formal kill-switch review. Written decision artifact on fardin.sh (internal draft; publish post-M12 retrospective).

Sprint 0 — Next 7 Days (the real PRD, per PRFAQ verdict)

Execution starts now. Ship order, not suggestion order.

  • Day 1 (today):
    • Register fardin.sh domain. Configure DNS.
    • Register / claim X handle. Set bio, header.
    • Draft one-page manifesto (brief distillate + axiom).
    • Set up Schedule C accounting baseline. 30% tax reserve account opened.
  • Day 2:
    • Publish manifesto to fardin.sh.
    • Create accounts: HackerOne, Bugcrowd, Intigriti, YesWeHack, Immunefi. Complete profiles.
    • First X post (commitment device): "Week 1 — operator practice starts today." Link manifesto.
  • Day 3:
    • Pick Week-0 target. Rails / Next.js stack, explicit safe harbor, in-scope recon only.
    • Install Burp Community + Burp MCP.
    • Install shuvonsec/claude-bug-bounty in Claude Code.
    • Run GitHub-org recon dorks on chosen target. Log findings in private notes.
  • Day 4:
    • Track A hunting: first recon session on Week-0 target. No submission yet — build the pipeline, not the report.
    • Draft sector-niche shortlist (fintech / devtools / infra). Pick one by end of Day 7.
  • Day 5:
    • Enroll pwn.college CSE 466. Complete first module.
    • Schedule weekly Track B weekend block (Sat + Sun, 3-hr minimum).
  • Day 6:
    • X Week-1 update post. Specific: what was installed, what was learned, what's next. No hype.
    • Writeup-template v0 committed to fardin.sh/writeups repo (even empty — infrastructure exists before first bounty).
  • Day 7:
    • Outreach to security-fundamentals professor. Ask for one intro or one conversation.
    • Week-1 retrospective (internal). Commit to Week 2 targets. Sector niche locked.
    • LLC note filed for $30K-threshold trigger.

Sprint 0 done signal: platform profiles live, workstation operational, manifesto published, pwn.college enrolled, Week-0 target under recon, first X commitment post shipped, writeup infrastructure in place.

PRD Status

V1 complete 2026-04-21. Steps 4–11 compressed at operator's direction after PRFAQ-verdict recall ("further planning without execution is LARP"). This PRD is operational, not exhaustive. Revisions happen post-M1 with real bounty / submission data — not before.

Governing axiom: Research is the product. Content is the distribution. Skills are the features. Reputation is the asset.

On this page

Product Requirements Document — bug-bountyExecutive SummaryWhat Makes This SpecialProject ClassificationSuccess CriteriaUser SuccessBusiness SuccessTechnical SuccessMeasurable OutcomesProduct ScopeMVP (V1 target: M12)Growth (M12–M24)Vision (Y3+)Operating Principles (the 12 Bold Moves, canonical form)Risk Register & Kill-SwitchesOperating CadenceSprint 0 — Next 7 Days (the real PRD, per PRFAQ verdict)PRD Status