How to Use the HackerOne MCP in Cursor

Q: How do I add the HackerOne MCP Server to Cursor?

Create a .cursor/mcp.json file in your project root and define the server settings under Cursor's MCP configuration panel. Enable Agent mode in your editor chat to start using the security tools.

Q: Can I use Cursor to close a HackerOne report using the MCP Server?

Yes, run changereportstate from the Cursor chat to update the status to resolved. This lets you close out reports the moment your patch is merged.

Q: How does Cursor help me verify HackerOne assets?

By calling listassets directly within your editor to match incoming vulnerability reports against your code repository. This helps you quickly identify which microservice owns the broken endpoint.

Q: Can I check past payouts?

Use listpayments to pull your history into the editor. This helps you track budget allocation for specific vulnerability types.

Write secure code and triage HackerOne vulnerabilities inside Cursor with live API context.

See Vinkius in Action

Works with every AI agent you already use

…and any MCP-compatible client

MCP Servers - Free for Subscribers

Connect HackerOne MCP to Cursor

Create your Vinkius account to connect HackerOne to Cursor and route execution through our secure gateway. The platform manages server hosting, runtime updates, and security layers. Configuration requires no manual server provisioning.

GDPR Free for Subscribers

Setup HackerOne with Cursor

Ask AI about this MCP

ChatGPT

Claude

Perplexity

Fix HackerOne bugs directly in Cursor

`get_report` pulls the exact technical details of a vulnerability report directly into your active coding file. Your agent reads the proof-of-concept code and highlights the vulnerable lines in your editor. You write the patch while the agent references the live report details. Once the fix is committed, use `add_report_comment` to update the researcher on your progress.

Track public security trends with Cursor

`list_hacktivity` retrieves the public feed of disclosed vulnerabilities directly into your editor's sidebar. This lets you study real-world exploits while writing your own defensive code. Your agent analyzes these public reports to suggest security patches for your current project. You get real-world threat intelligence without opening a web browser.

Verify scope using the HackerOne MCP Server

`list_programs` displays all security programs you manage directly inside the Cursor terminal. Your agent uses this list to verify program rules before you push code changes. Run `list_assets` to see which endpoints are in-scope for each program. This ensures your development team always knows which systems are actively being tested by external researchers.

Setup guide

Set up HackerOne MCP in Cursor

Prerequisites

Cursor installed (macOS, Windows, or Linux)
Active Vinkius subscription with a valid endpoint token

1

Open MCP Settings

Go to Cursor Settings → MCP or open the Command Palette (Cmd+Shift+P / Ctrl+Shift+P) and search for "MCP: Add Server".
2

Add the HackerOne MCP

Cursor will create or open .cursor/mcp.json in your project root. Paste the JSON snippet on the right. Replace [YOUR_TOKEN_HERE] with your endpoint token from cloud.vinkius.com.
3

Enable Agent mode

Open Composer (Cmd+I / Ctrl+I) and switch to Agent mode using the dropdown at the top. MCP tools are only available in Agent mode.
4

Verify the connection

Ask Cursor something like "List my recent HackerOne transactions." If the MCP tools are loaded correctly, Cursor will call the HackerOne tools automatically. You can also check Settings → MCP for a green status indicator.

.cursor/mcp.json

{
  "mcpServers": {
    "hackerone-mcp": {
      "url": "https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp"
    }
  }
}

Get your connection token →

Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by HackerOne. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.

Why Choose Vinkius

Vinkius connects your tools to AI with real-time monitoring and automatic cost savings — all from one dashboard.

Connect HackerOne now

Real-time monitoring

Live

visibility into every interaction

Connect your favorite tools to your AI and see exactly what's happening — every request, every response, in real time.

Built-in savings

60%

lower AI costs

Vinkius compresses data between your apps and your AI automatically. Lower bills every month — no configuration required.

Single dashboard

One

place for every integration

Every tool your AI connects to, managed from a single screen. One account, complete control.

Common questions about HackerOne MCP in Cursor

Create a `.cursor/mcp.json` file in your project root and define the server settings under Cursor's MCP configuration panel. Enable Agent mode in your editor chat to start using the security tools.

Yes, run `change_report_state` from the Cursor chat to update the status to resolved. This lets you close out reports the moment your patch is merged.

By calling `list_assets` directly within your editor to match incoming vulnerability reports against your code repository. This helps you quickly identify which microservice owns the broken endpoint.

Use `list_payments` to pull your history into the editor. This helps you track budget allocation for specific vulnerability types.

Your program details and vulnerability reports are processed locally inside Cursor's secure workspace. Vinkius routes the API requests through zero-trust infrastructure, ensuring your sensitive security posture is never exposed to third parties.

Use it with your favorite AI tools

Connect this server to Cursor, Claude, VS Code, and more.

OpenAI Agents SDK sdk-python

Google ADK sdk-python

Pydantic AI sdk-python

Vercel AI SDK sdk-typescript