HackerOne MCP. Manage report lifecycle and payments from chat.
Gemini Works with every AI agent you already use
…and any MCP-compatible client
Just plug in your AI agents and start using Vinkius.
HackerOne MCP Server manages your entire bug bounty and vulnerability program lifecycle. Connect your organization account to your AI agent to track reports, update statuses, award bounties, and monitor payments without switching tabs.
You can list all vulnerability reports, check program scope, and manage financial history directly from your chat window.
What your AI agents can do
Add report comment
Adds a specific comment to a vulnerability report.
Award bounty
Processes and assigns a bounty payment for a given vulnerability report.
Change report state
Updates the status of a vulnerability report (e.g., marked as triaged or resolved).
Retrieves comprehensive information about a specific vulnerability report, including its current state and severity.
Lists and retrieves details about active bug bounty or VDP programs, along with the assets defined within them.
Changes a report's status (e.g., Triaged, Resolved) and adds internal or external comments directly to the report.
Processes bounty payments for a report and lists the history of all past bounty payouts.
Accesses the internal or public hacktivity feed to see a stream of recent security findings.
Ask AI about this MCP
Supported MCP Clients
Gemini Waiting for input…
HackerOne MCP Server: 10 Tools for Bug Bounty Ops
Use these tools to list reports, check program scope, award bounties, and manage the entire lifecycle of vulnerability submissions via your AI client.
019d75adadd report comment
Adds a specific comment to a vulnerability report.
019d75adaward bounty
Processes and assigns a bounty payment for a given vulnerability report.
019d75adchange report state
Updates the status of a vulnerability report (e.g., marked as triaged or resolved).
019d75adget program
Retrieves detailed information for a specific security program.
019d75adget report
Fetches detailed information about a specific vulnerability report.
019d75adlist assets
Lists all assets defined within your security programs.
019d75adlist hacktivity
Shows the internal or public feed of recent security discoveries.
019d75adlist payments
Retrieves a history list of all past bounty payments.
019d75adlist programs
Lists all bug bounty or VDP programs you have access to.
019d75adlist reports
Lists all vulnerability reports submitted to your HackerOne program.
Choose How to Get Started
Build a custom MCP for your own tools, or connect a ready-made integration from our catalog.
Build Your Own
Turn any API into an MCP. Import a spec, define Agent Skills, or deploy with MCPFusion.
- Import from OpenAPI, Swagger, or YAML specs
- Create Agent Skills with progressive disclosure
- Deploy to edge with MCPFusion framework
- Built in DLP, auth, and compliance on every call
- Real time usage dashboard and cost metering
- Publish to catalog or keep private
Make Your AI Do More
Start with HackerOne, then connect any of our 4,700+ other servers whenever your AI needs more. One click, no limits.
- Use this MCP plus 4,700+ others, all in one place
- Add new capabilities to your AI anytime you want
- Every connection is secured and compliant automatically
- Track usage and costs across all your servers
- Works with Claude, ChatGPT, Cursor, and more
- New servers added to the catalog every week
What you can do with this MCP connector
Connect your HackerOne organization account to your AI agent. You'll manage your whole bug bounty and vulnerability program life cycle without leaving your chat window. You can pull up every vulnerability report, check the program scope, and handle payments and payments history right here.
To see all the vulnerability reports submitted to your HackerOne program, you use list_reports. You can then pull up detailed info on a specific report using get_report. You'll find out the report's current state and severity level.
When you need to change a report's status, you use change_report_state to mark it as triaged or resolved. You can also add specific comments to a vulnerability report using add_report_comment.
You can check the scope of your bug bounty or VDP programs by running list_programs to see all available programs, and then use get_program for deep details on a specific one. These programs define assets, which you list with list_assets and check out the details with get_assets.
For the money side of things, you process bounty payments for a report using award_bounty, and you can pull up a history of all past bounty payments with list_payments.
You keep up with fresh security discoveries by checking the internal or public hacktivity feed using list_hacktivity.
How HackerOne MCP Works
- 1 Subscribe to this server and provide your HackerOne API Token Identifier and Token Value.
- 2 Connect your preferred AI client (Claude, Cursor, etc.) to the MCP Server.
- 3 Start by asking your AI client to perform an action, like 'List all high-severity reports submitted this week.' The agent executes the necessary tools and gives you the resulting data.
The bottom line is, you manage your entire bug bounty workflow from one chat window, without leaving your AI agent.
Who Is HackerOne MCP For?
This server is for the Security Program Manager who gets tired of clicking between the Reports tab, the Programs tab, and the Payments history to manage a single vulnerability. It’s for the Bug Bounty Lead who needs to automate bounty awards and communicate status changes in real-time. You're the person who needs a real-time, single source of truth for program health.
Automates the process of reviewing new reports, communicating findings, and awarding bounties to researchers.
Instantly retrieves full report details and severity ratings during the triage process, making investigation faster.
Maintains a real-time overview of incoming vulnerabilities and program health without needing to manually run multiple reports.
What Changes When You Connect
- See the full picture of your program with
list_reportsandlist_programs. You get a consolidated view of all submitted vulnerabilities and the programs they belong to, eliminating the need to cross-reference multiple dashboards. - Automate the triage process. When a researcher submits a report, use
get_reportto check the details, then callchange_report_stateto mark it as 'Triaged,' and immediatelyadd_report_commentto confirm next steps. - Handle payments instantly. Don't manually process rewards. Use
award_bountyto assign a reward to a report, and thenlist_paymentsto track the financial history of the payout. - Track program scope effortlessly. Use
list_assetsto see what assets are covered by a program, andget_programto understand the specific scope and rules for that asset set. - Stay current on threats. The
list_hacktivitytool keeps you updated on the latest security discoveries, giving you a real-time feed of what's happening in the industry without logging into a separate feed. - Streamline communications. Instead of emailing status updates, use
add_report_commentto communicate directly on the report, keeping all communication tied to the vulnerability record.
Real-World Use Cases
Triage a High-Severity Vulnerability
A security engineer spots a new high-severity report. Instead of opening the report, checking the program scope, and then updating the status, they ask the agent: 'Get report ID 12345 details, and mark it as Triaged.' The agent runs get_report, then change_report_state, solving the issue in two steps.
Process a Bulk Bounties Week-End
The Bug Bounty Manager has 20 new reports to review. They ask the agent to 'List all reports submitted this week.' The agent runs list_reports, and the manager then calls award_bounty and add_report_comment for each one, completing the entire payout process without leaving the chat.
Verify Program Scope and Assets
The CISO needs to know if a new asset falls under a specific bug bounty program. They ask the agent to 'List all assets for Program XYZ.' The agent runs list_assets, confirming the asset's reachability and ensuring proper governance before accepting a report.
Audit Past Payments
The finance team needs to verify payouts. They ask the agent to 'Show the payment history for the last quarter.' The agent runs list_payments, providing a clean record of all awarded bounties and the associated report IDs.
The Tradeoffs
Jumping between tabs
A user opens the Reports tab, finds the ID, opens the Programs tab to check scope, then manually copies the ID to a payment form.
→
Tell your agent to 'Get report ID 12345 details and check its program scope.' The agent runs get_report and get_program sequentially, giving you all the necessary data in one response.
Manual status updates
A researcher submits a report. The security team remembers to change the status manually in the UI, but forgets to add the internal comment.
→
After running change_report_state to mark the report, immediately use add_report_comment to document the internal team notes. This ensures the record is complete.
Partial payment processing
A manager sees a report needs a bounty but only remembers to click the 'Award' button without specifying the exact amount or reason.
→
Use the award_bounty tool. You define the exact amount and reason in the prompt, ensuring the payment is correctly processed and recorded.
When It Fits, When It Doesn't
Use this server if your job requires moving data or executing logic across multiple, distinct sections of HackerOne—for example, checking the program scope (list_assets), then retrieving the report (get_report), and finally updating the status (change_report_state). The server is designed for complex, multi-step workflows.
Don't use it if you just need to read a single, isolated data point, like checking the list of all programs (list_programs). In that case, a simple API call or the native HackerOne UI is enough. This server adds the orchestration layer, making it better for execution than for simple querying.
Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by HackerOne. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.
VINKIUS INFRASTRUCTURE
Cloud Hosted
Managed infra
V8 Isolated
Sandboxed per request
Zero-Trust Proxy
No stored credentials
DLP Enforced
Policy on every call
GDPR Compliant
EU data residency
Token Compression
~60% cost reduction
Works with Claude, ChatGPT, Cursor, and more
The Model Context Protocol standardizes how applications expose capabilities to LLMs. Instead of operating in isolation, your AI gains direct access to external platforms, live data, and real-world actions through secure, standardized connections.
This server provides 10 capabilities that interface natively with Claude, ChatGPT, Cursor, and any MCP client. No middleware. No custom integration required.
Available Capabilities
Triage workflow shouldn't take 5 different clicks.
Today, triaging a single vulnerability report means jumping through hoops: You open the report, check the asset list to see if it's covered, then navigate to the program details to confirm the rules, and finally switch to the reports list just to see if others reported the same thing. You spend five minutes just gathering context.
With the HackerOne MCP Server, you tell your agent, 'What's the status and scope of report 12345.' The agent runs `get_report` and `list_assets` for you. You get the full context, right in the chat, and you can act on it immediately.
HackerOne MCP Server: Manage report lifecycle from chat.
The ability to sequence actions—like getting report details via `get_report`, then calling `add_report_comment`, and finally executing `change_report_state`—removes the need to open and close dozens of tabs. It forces a linear, conversational workflow.
You're not just reading data; you're running a dedicated triage session with your AI client. It acts as the program manager you need, making the entire process conversational and traceable.
Common Questions About HackerOne MCP
How do I use the HackerOne MCP Server to check what reports were submitted this week? +
Run list_reports and specify the date range in your prompt. This tool gathers all reports submitted to your program, giving you a count and a list of titles. You can then ask the agent to retrieve details for a specific report ID.
Can I use the HackerOne MCP Server to award a bounty? +
Yes, use the award_bounty tool. Simply tell the agent to award a specific dollar amount to a report ID. The agent processes the payment and confirms the researcher has been notified.
What is the difference between `get_report` and `list_reports`? +
list_reports gives you a summary list of all reports submitted to your program. get_report requires a specific report ID and returns the complete, detailed record for that single vulnerability.
How do I update a report's status using the HackerOne MCP Server? +
Use change_report_state. You just need to provide the report ID and the new status (e.g., 'Triaged'). The agent updates the record and logs the change automatically.
How do I track payments history with the HackerOne MCP Server? +
Use the list_payments tool. This tool pulls a record of all past bounty payouts, allowing you to audit the financial history of your bug bounty program.
How do I use the `list_programs` tool to see what security programs I manage? +
The list_programs tool retrieves all bug bounty or VDP programs you have access to. This lets you quickly see the names and scopes of every active program without navigating the HackerOne UI.
What can I do with the `get_program` tool regarding asset scope? +
The get_program tool pulls specific details about a chosen security program. You can use this data to confirm the structured scopes and assets covered by that program.
How do I check the recent activity using the `list_hacktivity` tool? +
The list_hacktivity tool shows you the internal or public hacktivity feed. You can use this to stay updated on recent discoveries and security events across your organization.
How do I generate my HackerOne API Token? +
Log in to HackerOne, navigate to Settings > API Token, and click 'Create API Token'. Make sure to copy both the Identifier and the Token Value immediately.
Can I award bounties through this integration? +
Yes! Use the award_bounty tool by providing the report ID and the amount. You can also specify an optional bonus amount for the researcher.
Does the integration support internal comments? +
Yes, the add_report_comment tool has an optional internal boolean parameter (defaults to true). This allows you to communicate with your team privately on a specific report.
Can I filter reports by their handle or ID? +
You can use list_reports to see all reports or get_report with a specific ID to retrieve detailed information for a single discovery.
Use it with your favorite AI tools
Connect this server to Cursor, Claude, VS Code, and more.
More in this category
Auth0
Manage IAM operations—users, clients, connections, and logs in your Auth0 tenant directly via your AI agent.
UpGuard
Monitor your attack surface and assess vendor security risks with continuous scanning that identifies vulnerabilities before attackers do.
Rapid7 InsightVM
Equip your AI to interact directly with Rapid7 InsightVM, extracting vulnerability assessments, scanning network assets, and launching immediate scans.
You might also like
Indy
Manage your freelance business with proposals, contracts, time tracking, and invoicing that covers the entire client lifecycle.
PatentsView
Universal US patent intelligence — search patents, inventors, and assignees via AI.
Todoist
Organize your personal and team tasks with the productivity app that millions trust to stay on top of everything that matters.