Skip to main content
Glama

yeswehack-mcp

A Model Context Protocol (MCP) server for the YesWeHack bug bounty platform. Lets Claude query your private and public programs, reports, and the hacktivity feed directly from a conversation.

Features

  • Flexible authentication — browser login, email/password API login, copied bearer tokens, and official Personal Access Tokens.

  • Private programs — returns invite-only programs you have been accepted into, not just public ones.

  • Full program details — scope, reward ranges, status.

  • Report access — list and read reports with severity, CVSS, description, and bounty.

  • Report comments — list report discussion/messages when your account has access.

  • Email aliases — list your YesWeHack email aliases.

  • Program credentials — list credential pools/assigned credentials and request credentials for programs that expose pools.

  • Hacktivity feed — browse publicly disclosed reports.

  • Token caching — the JWT is stored locally and reused until it expires.

Related MCP server: Intigriti MCP Server

Requirements

  • Python 3.10+

  • uv (installed automatically by the setup script if missing)

  • A YesWeHack account

  • WSL2 users: WSLg must be enabled so Chromium can open a window (echo $DISPLAY should return a value)

Installation

git clone https://github.com/youruser/yeswehack-mcp
cd yeswehack-mcp

# Install uv if you don't have it
curl -LsSf https://astral.sh/uv/install.sh | sh

# Install dependencies
uv sync

# Download the Chromium browser used for login
uv run playwright install chromium

Registering with Claude Code

claude mcp add yeswehack -- uv --directory /path/to/yeswehack-mcp run server.py

Replace /path/to/yeswehack-mcp with the actual path where you cloned the repo.

Verify it connected:

claude mcp list
# yeswehack: ... ✓ Connected

Registering with Claude Desktop

Add the following to your Claude Desktop config file:

  • macOS: ~/Library/Application Support/Claude/claude_desktop_config.json

  • Windows: %APPDATA%\Claude\claude_desktop_config.json

{
  "mcpServers": {
    "yeswehack": {
      "command": "uv",
      "args": [
        "--directory",
        "/path/to/yeswehack-mcp",
        "run",
        "server.py"
      ]
    }
  }
}

If uv is not on PATH when Claude Desktop launches, use the absolute path (e.g. /home/youruser/.local/bin/uv).

Usage

Once registered, start every session by authenticating:

You: Call the authenticate tool

With no arguments, a Chromium window opens. Log in to YesWeHack as normal (email + password + 2FA if enabled). The window closes automatically once your session is detected. The token is saved to ~/.config/yeswehack-mcp/token.json and reused for all subsequent calls until it expires.

You can also authenticate without a browser:

authenticate(email="you@example.com", password="...", totp="123456")
authenticate(access_token="eyJ...")        # browser/API bearer token
authenticate(access_token="ywh_pat_...")   # Personal Access Token

Environment variables are supported too:

export YWH_TOKEN="eyJ..."       # browser/API bearer token
export YWH_PAT="ywh_pat_..."    # Personal Access Token

Available tools

Tool

Description

authenticate

Browser login, API login, or store a copied bearer token/PAT

get_current_user

Show your YesWeHack profile (username, rank, reputation)

list_programs

List all programs you have access to, including private invite-only ones

get_program

Full details for a program: scope, reward ranges, status

list_reports

List reports for a program, with optional status filter

get_report

Full details of a specific report (title, severity, CVSS, description, bounty)

list_report_comments

List comments/messages for a report when your token has access

list_email_aliases

List your YesWeHack email aliases

get_program_credentials

List credential pools and assigned credentials for a program

request_program_credentials

Request credentials from a program credential pool

yeswehack_api_get

Read-only escape hatch for authenticated API endpoints not wrapped yet

get_hacktivity

Browse the public hacktivity (disclosed reports) feed

Example prompts

List all my private programs on YesWeHack.

Show me the scope for the program with slug "acme-corp".

List my YesWeHack email aliases.

Get credentials for program "acme-corp".

List all accepted reports for program "acme-corp".

Get the full details of report 12345.

Show me the latest hacktivity, page 2.

Token storage

The token is saved to ~/.config/yeswehack-mcp/token.json. It contains only the token and its expiry timestamp — no account password is ever stored. Browser/API session JWTs use their embedded expiry. Opaque Personal Access Tokens are cached locally until the YesWeHack API rejects them. The browser profile (cookies, localStorage) is kept at ~/.config/yeswehack-mcp/browser-profile so you do not have to fill in your email every time you re-authenticate.

To log out, delete the token file:

rm ~/.config/yeswehack-mcp/token.json

Project structure

yeswehack-mcp/
├── server.py        # FastMCP entry point — all tool definitions
├── auth.py          # Playwright browser login + token storage
├── client.py        # httpx async API wrapper with pagination
└── pyproject.toml   # Dependencies and build config

WSL2 display setup

Playwright needs a display to open the browser window. On WSL2 with WSLg this works out of the box. If you see an error about DISPLAY not being set:

# Check if WSLg is running
echo $DISPLAY        # should print something like :0
ls /mnt/wslg        # should exist

# If not, ensure you are on a recent WSL2 version with WSLg support
wsl --update         # run from Windows PowerShell

License

MIT

F
license - not found
-
quality - not tested
D
maintenance

Maintenance

Maintainers
Response time
Release cycle
Releases (12mo)
Commit activity

Resources

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/sebastianolaru3008/yeswehack-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server