Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@HackerOne MCP ServerWhat assets are in scope for the Uber bug bounty program?"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
HackerOne MCP Server
Disclaimer: This is an unofficial, community-built project. It is not affiliated with, endorsed by, or maintained by HackerOne. "HackerOne" is a trademark of HackerOne, Inc. This project simply integrates with their publicly documented Hacker API.
MCP server that gives Claude Code (or any MCP client) live access to your HackerOne reports, programs, earnings, and scope data via the HackerOne API.
Setup
1. Get your HackerOne API token
Go to HackerOne > Settings > API Token and generate one.
2. Install and build
git clone https://github.com/Sicks3c/hackerone-mcp-server.git
cd hackerone-mcp-server
npm install
npm run build3. Add to Claude Code
claude mcp add hackerone \
-e H1_USERNAME=your-username \
-e H1_API_TOKEN=your-api-token \
-s user \
-- node /path/to/hackerone-mcp-server/dist/index.jsOr add manually to ~/.claude.json:
{
"mcpServers": {
"hackerone": {
"command": "node",
"args": ["/path/to/hackerone-mcp-server/dist/index.js"],
"env": {
"H1_USERNAME": "your-username",
"H1_API_TOKEN": "your-api-token"
}
}
}
}4. Verify
claude
> /mcp
# You should see "hackerone" listed with 9 toolsTools
Tool | Description |
| Search and filter your reports by keyword, program, severity, or state |
| Get full report details by ID (title, vuln info, severity, timestamps) |
| Get a report with its triage conversation thread |
| Get activity timeline (comments, state changes, bounties) |
| List bug bounty programs you have access to |
| Analyze your hunting patterns (severity distribution, top programs, weakness types) |
| Get in-scope assets for a program (asset types, bounty eligibility, severity caps) |
| Get accepted CWE/weakness types for a program |
| Get your bounty earnings history (amounts, dates, programs) |
Usage Examples
Search reports by program:
Search my reports for the ipc-h1c-aws-tokyo-2026 programDraft a report matching your style:
Find my resolved critical reports and use the same structure to draft a new report for this SSRF I found.Learn from triage conversations:
Show me the triage conversation on report #2345678. What questions did they ask?Check program scope before reporting:
What assets are in scope for the uber program?Track earnings:
Show my recent bounty earningsAnalyze patterns:
Analyze my report patterns — what severity gets resolved most?How It Works
Connects to the HackerOne Hacker API v1 using your personal API token
Runs locally over stdio — your credentials never leave your machine
Read-only — cannot submit, modify, or delete reports
Filtering (program, severity, state, keyword) is done client-side since the hacker API only supports pagination
License
MIT
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.