Free Online Game Collection for Bug Hunters — Including a Sushi-Themed Arcade and a Kanji Quiz

A browser-based playground where you can sharpen your bug bounty instincts in five minutes — no installs, no signups, JA/EN supported.

morioka12

~5 min read · May 10, 2026 (Updated: May 10, 2026) · Free: Yes

—

Hi, I'm morioka12 (@scgajge12) .

For the past few months I've been working on a small side project I'm finally happy to share with the international bug bounty community:

> Bug Bounty Online Game— a free collection of browser-based games and quizzes about security and bug bounty hunting.

👉 https://scgajge12.github.io/games/

Everything is free, no signup required, runs entirely in the browser, and ships with a JA / EN language toggle out of the box. Whether you're a complete beginner curious about bug bounty, a seasoned hunter who wants a quick brain warm-up before opening Burp, or somebody who just thinks security memes about sushi belts are funny — there's something here for you.

In this post I'll walk through every game in the collection, explain who it's for, and call out two that are especially fun if you love Japan or are studying Japanese: Sushi Bounty 🍣 and Bug Kanji 漢字.

—

## The portal: one site, multiple games

The hub at scgajge12.github.io/games lists every game with a tag, a short description, and a one-tap PLAY button. The whole site is dark-themed, mobile-friendly, and respects `prefers-reduced-motion` for the particle effects in the background.

Currently there are 5 playable games and 2 coming soon, all built from the same design language so jumping between them feels familiar.

Let's go through them.

—

## 1. 🍣 Sushi Bounty (Kaiten Bug Bounty) — highly recommended for Japan fans

> "Pick the right attack to carve each vulnerable feature flowing down the kaiten-sushi belt."

Play 👉 scgajge12.github.io/games/kaiten-bounty

If you've ever been to Japan, you've probably eaten at a kaiten-zushi (回転寿司) restaurant — the kind where plates of sushi loop around the room on a conveyor belt and you grab whatever looks good. Sushi Bounty turns that experience into a bug bounty arcade.

Each plate flowing past you is a vulnerable feature — a file upload form, a redirect parameter, a deserialization endpoint, a JWT-validating API, you name it. Your job is to look at the plate, decide what class of attack it's vulnerable to (XSS? SSRF? IDOR? RCE? Path traversal?), and "carve" it with the correct attack technique before it slides off-screen.

Get it right and you build a combo. Miss it and you watch a juicy bounty drift away.

It is, without exaggeration, the most fun way I've found to drill fast pattern-matching between functionality and likely vulnerability classes — which is exactly the muscle memory you want when you're scoping a new target on a Saturday morning.

—

## 2. 漢字 Bug Kanji — highly recommended for Japanese learners

> "Read kanji clues to identify the right vulnerability class."

Play 👉 scgajge12.github.io/games/bug-kanji

This one is a time-attack 4-choice quiz with a Japanese twist: each question shows you a small set of kanji (Japanese characters) that hint at a specific vulnerability category, and you have to pick which class of bug it represents.

For example — and I won't spoil too much — you might see kanji that translate roughly to "across-site / script / insertion," and you have to recognize that as Cross-Site Scripting. Or kanji meaning "server-side / request / forgery." Once you see the trick, suddenly half the OWASP Top 10 has a built-in mnemonic in Chinese characters that you'll never forget.

There are three difficulty levels:

- Easy — common categories, generous time

- Hard — more obscure categories, tighter clock

- Extreme — speedrun territory; even native readers will sweat

If you're an international bug hunter who's ever wanted to read a JPCERT advisory or a Japanese vendor disclosure in the original, this is the most fun on-ramp I can think of.

— -

## 3. Bug Bounty Top 10 Vulnerability Quiz

Play 👉 scgajge12.github.io/games/bug-bounty-top-10-quiz

A 4-choice quiz built from the most-upvoted disclosed reports on HackerOne Hacktivity (2023–2025).

Instead of asking textbook OWASP questions, this one asks: *"What's actually being reported, paid, and disclosed in the wild right now?"* Each question pulls from a real, popular Hacktivity report — meaning the answers map directly to the kinds of bugs that earn bounties today, not the ones that were fashionable a decade ago.

10 questions, ~5 minutes, JA/EN. Perfect as a daily warm-up.

—

## 4. Claude Bug Bounty Capability Quiz

Play 👉 scgajge12.github.io/games/claude-bug-bounty

If you've started using Claude Code for security workflows, you've probably noticed the gap between "I know Claude can help with bug bounty" and "I actually know which slash command, agent, or memory feature to reach for in this exact situation."

This quiz is a 4-choice drill on the slash commands, agents, and memory model of [`claude-bug-bounty`](https://github.com/scgajge12/claude-bug-bounty), an AI-driven bug-bounty extension for Claude Code. It's the fastest way I've found to internalize the surface area of an AI-augmented hunting workflow.

10 questions, ~5 minutes, JA/EN.

—

## 5. Bug Bounty Triage Simulator (BBR-Review, 13 axes)

Play 👉 scgajge12.github.io/games/triage-sim

This one's a little different from the others. Instead of testing your knowledge of vulnerabilities, it tests your knowledge of how vulnerability reports should be written — by putting you in the triager's chair.

You're given a flawed bug bounty report — maybe the impact statement is hand-wavy, the PoC is missing repro steps, the severity rating is inflated, or the affected scope is wrong. You then grade it across 13 evaluation axes (clarity, reproducibility, impact justification, scope correctness, etc.) on a 100-point scale, and the simulator scores how close your judgment is to the BBR-Review reference frame.

If you've ever wondered why your perfectly valid bug got marked Informative, or why a duplicate report still got paid out before yours, this game will quietly recalibrate how you write reports forever.

13 scenarios, 100-point grading, JA/EN.

— -

## Coming soon

Two more quizzes are in the pipeline, both tied to Japanese-language books I've been involved with:

- OSS Bug Hunting 101 Quiz— a comprehension quiz based on "Get Your CVE in 30 Days! An Introduction to OSS Bug Hunting."

- Practical Bug Bounty Quiz — a comprehension quiz based on "Breaking into Bug Bounty: A Practical Guide for Beginners."

If those topics interest you, follow @scgajge12 — I'll post when they ship.

—

Happy hunting.

#bug-bounty

< Go to the original

Free Online Game Collection for Bug Hunters — Including a Sushi-Themed Arcade and a Kanji Quiz

A browser-based playground where you can sharpen your bug bounty instincts in five minutes — no installs, no signups, JA/EN supported.

Reporting a Problem