Bug Bounty MCP Server
A clean, focused server containing bug bounty hunting workflows and REST API endpoints.
Features
- Clean Architecture: Removed bloat and unnecessary dependencies while maintaining core functionality
- Bug Bounty Focused: Specialized workflows for reconnaissance, vulnerability hunting, business logic testing, OSINT, and file upload testing
- REST API Endpoints: Simple HTTP API for workflow generation and management
- Comprehensive Assessments: Combine multiple workflows for complete bug bounty assessments
Architecture
Core Components
- REST API Server (
src/server.py
) - Flask-based HTTP API server with bug bounty workflow endpoints - MCP Server (
src/mcp_server.py
) - FastMCP-based server for AI agent communication - Bug Bounty Workflows - Specialized workflow generation for different phases of testing
- Tool Integration - Comprehensive collection of security testing tools
Quick Start
1. Install Dependencies & Start the Server
2. Test the API
Configuration
Environment Variables
BUGBOUNTY_MCP_PORT
: Server port (default: 8888)BUGBOUNTY_MCP_HOST
: Server host (default: 127.0.0.1)DEBUG
: Enable debug mode (default: false)
Command Line Options
--debug
: Enable debug mode--port PORT
: Set server port--host HOST
: Set server host
Key Features
- Bug Bounty Workflow Management: Complete workflow generation for different phases of bug bounty hunting
- Vulnerability Prioritization: Intelligence-driven prioritization based on impact and bounty potential
- File Upload Testing: Specialized framework for file upload vulnerability testing
- OSINT Integration: Comprehensive OSINT gathering workflows
- Business Logic Testing: Structured approach to business logic vulnerability discovery
Dependencies
Project uses uv
for fast, reliable dependency management:
Core Dependencies
- Flask: Web framework for REST API
- FastMCP: MCP server framework
- Requests: HTTP client library
- Python 3.11+: Core runtime (supports Python 3.11, 3.12, 3.13)
Development Dependencies
- Ruff: Fast Python linter and formatter
- Bandit: Security vulnerability scanner
- Pydocstyle: Documentation quality checker
- Pyright: Static type checker
- Pre-commit: Git pre-commit hooks framework
Install dependencies:
Add new dependencies:
Code Quality
This project enforces code quality through automated pre-commit hooks:
Standards:
- Line length: 88 characters
- Documentation: Google docstring convention
- Type hints: Required for public APIs
- Security: Bandit security scanning enabled
This server cannot be installed
remote-capable server
The server can be hosted and run remotely because it primarily relies on remote services or has no dependency on the local environment.
Enables AI agents to generate and manage specialized bug bounty hunting workflows including reconnaissance, vulnerability testing, OSINT gathering, and file upload testing. Provides REST API endpoints for comprehensive security assessments with intelligence-driven vulnerability prioritization.