HackerOne MCP Server
The HackerOne MCP Server enables bug bounty hunters to manage their HackerOne activities through Claude Code or other MCP clients, providing read and write access to reports, programs, earnings, and scope data via the HackerOne API.
Report Management:
Search and filter reports by keyword, program, severity, or state
Retrieve full report details (title, CVSS vectors, bounty amounts, timestamps, attachments)
View complete triage conversation threads
Browse activity timelines (comments, state changes, bounty awards)
Submit new vulnerability reports, add comments, or withdraw/close your own reports
Program Exploration:
List all bug bounty programs you have access to
Retrieve in-scope assets (asset types, bounty eligibility, severity caps)
Get accepted vulnerability/weakness types (CWEs) for a specific program
Earnings & Profile:
View bounty earnings history (amounts, currency, dates) and current balance
Retrieve your hacker profile (reputation, signal, impact, rank)
Analytics:
Analyze your hunting patterns: severity distribution, top programs, common weakness types, and resolution rates
Search publicly disclosed reports on HackerOne's hacktivity for reconnaissance and learning
Technical Highlights:
Connects via the HackerOne Hacker API v1 using a personal API token; credentials stay local
Auto-paginates results, uses server-side filters for faster searches
Built-in retry with exponential backoff for rate limiting and a 60-second response cache
Provides tools for interacting with the HackerOne API to manage vulnerability reports, bug bounty programs, and earnings, including capabilities to submit findings, respond to triage, and analyze hunting patterns.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@HackerOne MCP ServerWhat assets are in scope for the Uber bug bounty program?"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
HackerOne MCP Server
Disclaimer: This is an unofficial, community-built project. It is not affiliated with, endorsed by, or maintained by HackerOne. "HackerOne" is a trademark of HackerOne, Inc. This project simply integrates with their publicly documented Hacker API.
MCP server that gives Claude Code (or any MCP client) full access to your HackerOne reports, programs, earnings, and scope data via the HackerOne API — including submitting reports and responding to triage.
Setup
1. Get your HackerOne API token
Go to HackerOne > Settings > API Token and generate one.
2. Install and build
git clone https://github.com/Sicks3c/hackerone-mcp-server.git
cd hackerone-mcp-server
npm install
npm run build3. Add to Claude Code
claude mcp add hackerone \
-e H1_USERNAME=your-username \
-e H1_API_TOKEN=your-api-token \
-s user \
-- node /path/to/hackerone-mcp-server/dist/index.jsOr add manually to ~/.claude.json:
{
"mcpServers": {
"hackerone": {
"command": "node",
"args": ["/path/to/hackerone-mcp-server/dist/index.js"],
"env": {
"H1_USERNAME": "your-username",
"H1_API_TOKEN": "your-api-token"
}
}
}
}4. Verify
claude
> /mcp
# You should see "hackerone" listed with 16 toolsTools
Read
Tool | Description |
| Search and filter your reports by keyword, program, severity, or state |
| Get full report details including CVSS vector, bounty amounts, and attachments |
| Get a report with its triage conversation thread |
| Get activity timeline (comments, state changes, bounties) |
| List all bug bounty programs you have access to (auto-paginates) |
| Get single program info: policy, response times, metrics |
| Get all in-scope assets for a program (auto-paginates) |
| Get accepted CWE/weakness types for a program (auto-paginates) |
| Get your bounty earnings history (amounts, dates, programs) |
| Get your reputation, signal, impact, and rank |
| Get your current unpaid bounty balance |
| Analyze your hunting patterns (severity distribution, top programs, weakness types) |
| Search publicly disclosed reports on hacktivity — great for recon and learning |
Write
Tool | Description |
| Submit a new vulnerability report to a program |
| Add a comment to an existing report (respond to triage) |
| Withdraw/close one of your own reports |
Usage Examples
Submit a report directly:
Submit this SSRF finding to the uber program with critical severity. Here's my writeup: [paste]Respond to triage:
Add a comment to report #2345678: "Here's the updated PoC with the new endpoint..."Draft a report matching your style:
Find my resolved critical reports and use the same structure to draft a new report for this SSRF I found.Learn from triage conversations:
Show me the triage conversation on report #2345678. What questions did they ask?Research what gets paid:
Search disclosed reports on the uber program for SSRF — what did they pay?Check program details before hunting:
Show me the uber program details — what are their response times?Check your stats:
Show my hacker profile — what's my current reputation and signal?Track earnings:
Show my recent bounty earnings and current balanceAnalyze patterns:
Analyze my report patterns — what severity gets resolved most?How It Works
Connects to the HackerOne Hacker API v1 using your personal API token
Runs locally over stdio — your credentials never leave your machine
Supports both read and write operations (submit reports, add comments, close reports)
Auto-paginates programs, scope, and weakness endpoints so nothing gets silently truncated
Uses server-side API filters where available (program, severity, state) for faster searches
Built-in retry with exponential backoff for rate limit handling
60-second response cache to reduce redundant API calls
License
MIT
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/Sicks3c/hackerone-mcp-server'
If you have feedback or need assistance with the MCP directory API, please join our Discord server