Bugcrowd MCP. Manage vulnerability programs from your chat client.
Gemini Works with every AI agent you already use
…and any MCP-compatible client
Just plug in your AI agents and start using Vinkius.
Bugcrowd. Manage all crowdsourced security and bug bounty programs directly through any AI agent. Use this server to list programs, track specific submissions, get target asset details, and create new vulnerability reports using natural language commands.
It gives your agent a direct view into your entire vulnerability management lifecycle.
What your AI agents can do
Create submission
Generates and submits a new vulnerability finding to a specified program.
Get engagement
Retrieves full details for a single bug bounty or penetration test.
Get organization info
Pulls core administrative information about the Bugcrowd account.
The agent can fetch a list of all security programs, returning details like names and scopes.
You can pull detailed metadata for a single submission using its ID.
The agent accesses and displays all scoped details for one security program.
The agent pulls a comprehensive list of all active bug bounties and penetration tests.
The agent lists all assets that are currently in scope for your organization.
The agent generates and submits a new finding to a specified security program.
The agent retrieves high-level administrative information about the Bugcrowd account.
Ask AI about this MCP
Supported MCP Clients
Gemini Waiting for input…
Bugcrowd MCP Server: 10 Tools for Security Management
Use these tools to list, retrieve, and create data points across your vulnerability programs, submissions, and assets.
019d7565create submission
Generates and submits a new vulnerability finding to a specified program.
019d7565get engagement
Retrieves full details for a single bug bounty or penetration test.
019d7565get organization info
Pulls core administrative information about the Bugcrowd account.
019d7565get program
Gets all scoped details for one specific security program.
019d7565get submission
Retrieves the full metadata for one specific vulnerability report.
019d7565get target
Gets all scoped details for one specific asset (target).
019d7565list engagements
Lists all ongoing crowd efforts, such as bug bounties or pen tests.
019d7565list programs
Lists all active security programs managed by the account.
019d7565list submissions
Lists the metadata for all vulnerability submissions across all programs.
019d7565list targets
Lists every asset that is currently in scope for the organization.
Choose How to Get Started
Build a custom MCP for your own tools, or connect a ready-made integration from our catalog.
Build Your Own
Turn any API into an MCP. Import a spec, define Agent Skills, or deploy with MCPFusion.
- Import from OpenAPI, Swagger, or YAML specs
- Create Agent Skills with progressive disclosure
- Deploy to edge with MCPFusion framework
- Built in DLP, auth, and compliance on every call
- Real time usage dashboard and cost metering
- Publish to catalog or keep private
Make Your AI Do More
Start with Bugcrowd, then connect any of our 4,700+ other servers whenever your AI needs more. One click, no limits.
- Use this MCP plus 4,700+ others, all in one place
- Add new capabilities to your AI anytime you want
- Every connection is secured and compliant automatically
- Track usage and costs across all your servers
- Works with Claude, ChatGPT, Cursor, and more
- New servers added to the catalog every week
What you can do with this MCP connector
This server lets your AI agent run your whole bug bounty operation right from your chat window. You can list every active security program, check the details for a specific program, or pull all the core administrative settings for your Bugcrowd account. To keep tabs on what's happening, your agent can list all ongoing crowd efforts—like bug bounties or pen tests—and check the details for any single engagement.
You'll also get a full list of every asset in scope for your organization, and you can get the full details for any specific target. When it's time to file a finding, your agent generates and submits a new vulnerability report to a specific program. You can list all vulnerability submissions across every program, or pull the detailed metadata for one specific report.
You'll also be able to get the full metadata for any single bug bounty or penetration test.
How Bugcrowd MCP Works
- 1 1. Subscribe to the Bugcrowd server and enter your API Access Token.
- 2 2. Your AI client calls a specific tool (e.g.,
list_programs) and passes necessary parameters. - 3 3. The server executes the tool call, retrieves the raw data, and passes a clean, structured response back to your agent for use.
The bottom line is, your AI agent talks to the Bugcrowd API and gets back organized data without you ever leaving your primary workflow.
Who Is Bugcrowd MCP For?
Security Engineers and Analysts who spend too much time clicking through dashboards. This is for Vulnerability Managers who need to triage reports and check program status inside their existing workflow tools. Also CISOs and Security Leads who need to monitor program health and target coverage using plain language.
Checks submission statuses, pulls metadata for programs, and verifies if a reported vulnerability relates to an in-scope target.
Retrieves and triages vulnerability reports directly from the agent, speeding up the manual report review process.
Monitors program health, checks target coverage, and views overall organizational settings without logging into the Bugcrowd portal.
What Changes When You Connect
- See all active programs instantly. Instead of navigating through the Bugcrowd dashboard to list programs, the agent runs
list_programsand gives you the list right away. You know exactly what programs are running. - Triage submissions without context switching. When you need to check a report, use
get_submissionto get all the metadata you need, without opening a single browser tab. - Track active bounties easily. Use
list_engagementsto see every running bug bounty or pen test. You don't have to remember which engagement IDs are active. - Verify scope and assets. Before writing a report, use
list_targetsto confirm if the asset is in scope. This prevents wasted effort and keeps reports accurate. - Create findings on the fly. If you find a vulnerability, you can use
create_submissionto submit the finding directly from your chat, logging it immediately. - Understand the entire scope. Use
get_organization_infoto pull high-level data on the account andlist_targetsto map out all organizational assets in one go.
Real-World Use Cases
A security team needs to audit all active programs.
The team runs the agent command: 'List all active security programs.' The agent uses list_programs, which returns a list of all program names and IDs. This allows the team to quickly verify that all intended programs are running and that no scope creep has occurred.
A security engineer finds a vulnerability and needs to report it.
The engineer runs: 'Submit a new finding for the Main Web App program.' The agent uses create_submission, which handles the formatting and submission process. The finding is logged immediately, and the engineer doesn't have to copy and paste anything into a web form.
A vulnerability manager needs to check a specific report's status.
The manager asks the agent to 'Show me the details for submission ID sub_99283.' The agent calls get_submission, and the manager gets the full metadata, including triage status and severity, right in the chat window.
A CISO needs a full view of all monitored assets.
The CISO asks the agent to 'What are all the targets in scope?' The agent uses list_targets, providing a complete list of assets. This instantly helps the CISO confirm target coverage across multiple programs.
The Tradeoffs
Manual Dashboard Review
Having to open the Bugcrowd portal, navigate to 'Programs,' click each program individually to check its scope, and then copy/paste IDs to check submissions.
→
Instead, ask your agent to run list_programs to get the list, and then use list_submissions to get all recent findings across all programs in one step.
Fragmented Data Retrieval
Calling get_program for details, then having to call list_submissions using the program ID, and then calling get_submission for the details—all in separate steps.
→
Build a single prompt that asks for the outcome: 'Give me the status of all submissions for the Main Web App.' The agent handles the necessary sequence of tool calls (list_submissions -> get_submission).
Ignoring Scope Checks
Writing a report for an asset you aren't sure is covered, wasting time, or submitting a finding that gets rejected because the target isn't properly scoped.
→
Always run list_targets first. This confirms every asset is in scope before you start your work. Then, use get_target if you need details on that specific asset.
When It Fits, When It Doesn't
Use this server if your job requires tracking or managing vulnerability data across multiple, distinct programs. You need to answer questions like, 'What is the status of the program?' or 'Did this submission relate to a known target?' If you only need to check a single, static piece of information (like a single report ID), you might only need get_submission. However, if you need to compare, list, or create data, this server is mandatory. Don't use this if your workflow is purely educational; you need the live API connection to make it useful. If you are building an automation that requires multiple data points (e.g., list targets AND list programs), this single server handles the complex linking.
Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by Bugcrowd. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.
VINKIUS INFRASTRUCTURE
Cloud Hosted
Managed infra
V8 Isolated
Sandboxed per request
Zero-Trust Proxy
No stored credentials
DLP Enforced
Policy on every call
GDPR Compliant
EU data residency
Token Compression
~60% cost reduction
Works with Claude, ChatGPT, Cursor, and more
The Model Context Protocol standardizes how applications expose capabilities to LLMs. Instead of operating in isolation, your AI gains direct access to external platforms, live data, and real-world actions through secure, standardized connections.
This server provides 10 capabilities that interface natively with Claude, ChatGPT, Cursor, and any MCP client. No middleware. No custom integration required.
Available Capabilities
Checking program status shouldn't require logging into a dashboard.
Today, checking the health of a security program means logging into the Bugcrowd portal. You have to click through the dashboard, find the program list, and then drill down into the details page just to see the current scope or status. It’s a lot of clicking and context switching.
With this MCP server, you just talk to your agent. You ask, 'What is the status of the Main Web App program?' and the agent uses `get_program` to pull the scope and status directly into your chat. You get the answer immediately.
Bugcrowd MCP Server: Track submissions and targets.
Manual processes force you to list submissions first via `list_submissions`, then pull the specific report using `get_submission`, and if you need to know what asset was hit, you have to call `get_target` separately. This multi-step process is slow and error-prone.
Now, you can ask your agent to correlate data points. You get the full context in one go. The data flows directly from the Bugcrowd API into your workflow, making the entire process instantaneous.
Common Questions About Bugcrowd MCP
How do I use the `list_programs` tool with Bugcrowd MCP Server? +
Simply ask your agent to 'List all active security programs.' The agent uses list_programs and returns a list of all programs and their IDs. This helps you know what programs are available to track.
What information does `get_submission` provide? +
get_submission pulls detailed metadata for a single vulnerability report. This includes the submission date, severity, and the current triage status, which is critical for remediation planning.
Can I use `create_submission` with Bugcrowd MCP Server? +
Yes. You tell your agent to 'Create a new submission for the Main Web App.' The agent uses create_submission to submit the finding to the correct program ID, logging it immediately.
Does `list_targets` show all assets? +
Yes. list_targets returns a comprehensive list of every asset in scope for your organization. This is useful for confirming coverage when planning a new bug bounty.
What should I do if I get an error when calling `list_submissions`? +
The error usually means the submitted data is malformed or the API token lacks the required permissions. Check your token's scope and ensure the submission IDs you pass are valid.
How do I get details for a specific engagement using `get_engagement`? +
You must provide the unique engagement ID in the request. The response details include the bounty type, start date, and the associated program ID.
Does `list_programs` only show active security programs? +
Yes, the tool lists all security programs that are currently active in your Bugcrowd account. You'll see the program name, its ID, and its current status.
What is the purpose of `get_organization_info`? +
This tool retrieves core organizational data, giving you access to general account settings. You can check things like your company name and the main API account owner.
Can I check the scope of a security program using the agent? +
Yes! Use the get_program tool with the Program ID. Your agent will fetch the detailed metadata, including targets and scope descriptions, from Bugcrowd.
How do I list all the vulnerability submissions for my account? +
Simply ask the agent to list_submissions. It will retrieve the latest vulnerability reports from your Bugcrowd account, including titles and statuses like 'triaged' or 'resolved'.
Does the integration allow creating a new submission? +
Yes. Use the create_submission action and provide the title and description. You can also associate it with a specific program by providing the program_id.
Use it with your favorite AI tools
Connect this server to Cursor, Claude, VS Code, and more.
More in this category
DataDome
Equip your AI agent to monitor bot protection, track threats, and audit protected endpoints directly via the DataDome API.
NIST NVD
Access authoritative vulnerability and product data via NIST NVD — track CVEs, CPEs, and security history directly from your AI agent.
Google Firestore Collection
This MCP does exactly one thing: it manages documents in a single Google Firestore Collection. That's its only function, and nothing else. Incredible for giving your AI a secure NoSQL database.
You might also like
Matrix Operations Engine
Perform exact linear algebra — multiply, transpose, invert, and compute determinants of massive matrices local. Zero LLM math hallucinations.
Volvo Cars Connected
Monitor and manage your connected Volvo vehicle — check fuel levels, battery status, door locks, and trip statistics directly via AI.
Formbricks
Capture user feedback with open-source surveys that trigger at the right moment inside your product for actionable insights.