How to Use the HackerOne MCP in Claude

Q: How do I configure the HackerOne MCP Server in Claude Desktop?

Open your local claudedesktopconfig.json file and add the server configuration under the mcpServers key. Restart the app, and you will see the tools ready to use in your chat window.

Q: Can Claude Desktop automate my HackerOne triage using this MCP Server?

Yes, by combining listreports and addreportcomment to draft replies to researchers. You can review the drafted comments in your desktop chat before they go live.

Q: Does Claude Desktop handle HackerOne bounty payouts?

The awardbounty tool allows Claude Desktop to trigger payouts directly from your prompt. We recommend manual verification before executing this tool to prevent accidental financial transfers.

Q: How do I view my active scope?

Use listprograms to fetch your active programs, then run listassets to see the defined scope. This lets you quickly check if a researcher's submission matches your actual attack surface.

Run your HackerOne bug bounty triage directly from Claude Desktop without jumping between browser tabs.

See Vinkius in Action

Works with every AI agent you already use

…and any MCP-compatible client

MCP Servers - Free for Subscribers

Connect HackerOne MCP to Claude Desktop

Create your Vinkius account to connect HackerOne to Claude Desktop and route execution through our secure gateway. The platform manages server hosting, runtime updates, and security layers. Configuration requires no manual server provisioning.

GDPR Free for Subscribers

Setup HackerOne with Claude Desktop

Ask AI about this MCP

ChatGPT

Claude

Perplexity

Triage HackerOne reports inside Claude Desktop

`list_reports` pulls your active bug submissions directly into your local chat interface. Your agent reads the incoming vulnerability details, checks the severity, and flags duplicates against previous submissions. You do not need to log into the web dashboard to change a report status. Run `change_report_state` to transition validated bugs to triaged or resolve them once patched.

Run HackerOne program audits in your workspace

`get_program` pulls scope rules and asset lists directly into your desktop environment. This lets your agent compare reported vulnerabilities against your declared scope to instantly spot out-of-scope submissions. Run `list_assets` to verify if a reported domain or endpoint is actually on your target list. Claude Desktop processes this data locally, keeping your program scope visible during active triage sessions.

Manage bounty payments with this MCP Server

`list_payments` retrieves your complete bounty transaction history directly inside the Claude Desktop chat window. Your agent analyzes past payouts to keep your current spending aligned with your budget. Execute `award_bounty` to reward researchers for valid findings without leaving your desktop terminal. You retain final approval on every transaction, keeping financial control secure.

Setup guide

Set up HackerOne MCP in Claude Web or Desktop

1

Open Claude Settings

Go to claude.ai, click your profile icon, then navigate to Customize → Connectors.
2

Add Custom Connector

Click the "+" button and select Add custom connector. Paste your Vinkius endpoint URL: https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp Replace [YOUR_TOKEN_HERE] with your token from cloud.vinkius.com. For OAuth-protected servers, expand Advanced settings to add credentials.
3

Start a conversation

Open a new chat. The HackerOne MCP tools are available immediately — no restart needed.

Endpoint URL

https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp

No configuration file needed — paste the URL directly in the Claude web interface.

Available on Free (1 connector), Pro, Max, Team, and Enterprise plans.

Prerequisites

Claude Desktop installed (macOS or Windows)
Active Vinkius subscription with a valid endpoint token

1

Open Claude Desktop Settings

Click the menu icon at the top-left corner, go to Settings → Developer → Edit Config. This opens claude_desktop_config.json in your default text editor.
2

Paste the HackerOne MCP configuration

Copy the JSON snippet on the right into the mcpServers object. Replace [YOUR_TOKEN_HERE] with your endpoint token from cloud.vinkius.com.
3

Restart Claude Desktop

Close and reopen the application. Claude needs a full restart to load new MCPs — refreshing a conversation is not enough.
4

Verify the connection

Open a new conversation. Click the 🔌 icon at the bottom of the message input. You should see tools listed under hackerone-mcp.

json

{
  "mcpServers": {
    "hackerone-mcp": {
      "url": "https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp"
    }
  }
}

Get your connection token →

Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by HackerOne. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.

Why Choose Vinkius

Vinkius connects your tools to AI with real-time monitoring and automatic cost savings — all from one dashboard.

Connect HackerOne now

Real-time monitoring

Live

visibility into every interaction

Connect your favorite tools to your AI and see exactly what's happening — every request, every response, in real time.

Built-in savings

60%

lower AI costs

Vinkius compresses data between your apps and your AI automatically. Lower bills every month — no configuration required.

Single dashboard

One

place for every integration

Every tool your AI connects to, managed from a single screen. One account, complete control.

Common questions about HackerOne MCP in Claude Desktop

Open your local `claude_desktop_config.json` file and add the server configuration under the `mcpServers` key. Restart the app, and you will see the tools ready to use in your chat window.

Yes, by combining `list_reports` and `add_report_comment` to draft replies to researchers. You can review the drafted comments in your desktop chat before they go live.

The `award_bounty` tool allows Claude Desktop to trigger payouts directly from your prompt. We recommend manual verification before executing this tool to prevent accidental financial transfers.

Use `list_programs` to fetch your active programs, then run `list_assets` to see the defined scope. This lets you quickly check if a researcher's submission matches your actual attack surface.

Your vulnerability reports and payment records remain strictly within your local Claude Desktop environment. Vinkius handles the connection via a secure, ephemeral sandbox, meaning your raw security data is never stored or used for model training.

Use it with your favorite AI tools

Connect this server to Cursor, Claude, VS Code, and more.

OpenAI Agents SDK sdk-python

Google ADK sdk-python

Pydantic AI sdk-python

Vercel AI SDK sdk-typescript