HackerOne MCP Server

Instructions

Implementation Reference

• src/h1client.ts:181-205 (handler)

  The actual implementation of the getReport function that fetches and processes the report data.

  export async function getReport(reportId: string) {
    const data = await h1Fetch(`/hackers/reports/${reportId}`);
    const r = data.data;
    const attrs = r.attributes;
    const sev = r.relationships?.severity?.data?.attributes;
  
    return {
      id: r.id,
      title: attrs.title,
      state: attrs.state,
      created_at: attrs.created_at,
      closed_at: attrs.closed_at,
      triaged_at: attrs.triaged_at,
      bounty_awarded_at: attrs.bounty_awarded_at,
      disclosed_at: attrs.disclosed_at,
      severity: sev?.rating ?? null,
      vulnerability_information: attrs.vulnerability_information,
      weakness: r.relationships?.weakness?.data?.attributes?.name ?? null,
      program:
        r.relationships?.program?.data?.attributes?.handle ?? null,
      structured_scope:
        r.relationships?.structured_scope?.data?.attributes?.asset_identifier ??
        null,
    };
  }

• src/index.ts:88-113 (registration)

  The MCP tool registration for 'get_report', which invokes the getReport function.

  // ── Tool: get_report ───────────────────────────────────────────────
  server.tool(
    "get_report",
    "Get the full details of a specific HackerOne report by ID. Returns title, vulnerability details, impact, severity, CVSS, timestamps, and program info.",
    {
      report_id: z.string().describe("The HackerOne report ID"),
    },
    async ({ report_id }) => {
      try {
        const report = await getReport(report_id);
        return {
          content: [
            {
              type: "text" as const,
              text: JSON.stringify(report, null, 2),
            },
          ],
        };
      } catch (err: any) {
        return {
          content: [{ type: "text" as const, text: `Error: ${err.message}` }],
          isError: true,
        };
      }
    }
  );