How to Use the HackerOne MCP in VS Code Copilot

Q: How do we share the HackerOne MCP Server config in VS Code Copilot?

Save the configuration to .vscode/mcp.json and commit it to your repository. Every team member with the Copilot extension will instantly gain access to the tools.

Q: Can we award bounties using the VS Code Copilot MCP Server?

Yes, run awardbounty from the Copilot chat to trigger researcher payouts. We recommend setting up strict repository permissions to control who can run this tool.

Q: How do we check program scope in VS Code Copilot?

Querying getprogram fetches your program's scope and policy rules directly into your chat. This helps developers confirm if a reported bug is within their team's responsibility.

Q: How do we see active assets?

Call listassets to pull your program's defined targets. This lets your team quickly map incoming vulnerabilities to specific codebases.

Team-wide HackerOne vulnerability management directly from your VS Code Copilot workspace.

See Vinkius in Action

Works with every AI agent you already use

…and any MCP-compatible client

MCP Servers - Free for Subscribers

Connect HackerOne MCP to VS Code Copilot

Create your Vinkius account to connect HackerOne to VS Code Copilot and route execution through our secure gateway. The platform manages server hosting, runtime updates, and security layers. Configuration requires no manual server provisioning.

GDPR Free for Subscribers

Setup HackerOne with VS Code Copilot

Ask AI about this MCP

ChatGPT

Claude

Perplexity

Team-wide triage via the HackerOne MCP Server

`list_reports` lets your entire engineering team view incoming vulnerability submissions directly inside VS Code Copilot. By sharing the configuration in your repo, every developer can query active bugs. Your agent analyzes the reports and suggests code fixes. Developers can run `change_report_state` to mark issues as triaged as soon as they start working on them.

Comment on reports from your editor

`add_report_comment` allows developers to communicate with external security researchers without leaving VS Code Copilot. Your agent drafts technical explanations of the fix to keep researchers informed. This direct channel speeds up the validation process. You maintain a clear log of updates on the HackerOne platform without switching contexts.

Track bounty payouts inside VS Code Copilot

`list_payments` displays your program's financial history to help manage security spend. Your agent can summarize these payouts to show which vulnerability types are costing the most. Execute `award_bounty` directly from the Copilot chat to reward researchers once their fix is deployed. This keeps your engineering and reward cycles perfectly synchronized.

Setup guide

Set up HackerOne MCP in VS Code Copilot

Prerequisites

VS Code 1.99 or later with GitHub Copilot extension
Active Vinkius subscription with a valid endpoint token

1

Open MCP configuration

Open the Command Palette (Cmd+Shift+P / Ctrl+Shift+P) and run "MCP: Add Server". Select HTTP (Streamable) as the server type. VS Code will create .vscode/mcp.json in your workspace.
2

Add the HackerOne MCP

Paste the JSON snippet shown on the right into your .vscode/mcp.json. Replace [YOUR_TOKEN_HERE] with your endpoint token from cloud.vinkius.com.
3

Switch to Agent mode

Open Copilot Chat (Cmd+Shift+I / Ctrl+Shift+I) and switch to Agent mode using the dropdown. MCP tools are only available in Agent mode — they do not appear in Edit or Ask modes.
4

Verify the connection

In the Copilot Chat input, type # to list available tools. You should see the HackerOne tools listed. Try asking: "List my recent HackerOne transactions" and Copilot will invoke them automatically.

.vscode/mcp.json

{
  "mcpServers": {
    "hackerone-mcp": {
      "url": "https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp"
    }
  }
}

Get your connection token →

Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by HackerOne. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.

Why Choose Vinkius

Vinkius connects your tools to AI with real-time monitoring and automatic cost savings — all from one dashboard.

Connect HackerOne now

Real-time monitoring

Live

visibility into every interaction

Connect your favorite tools to your AI and see exactly what's happening — every request, every response, in real time.

Built-in savings

60%

lower AI costs

Vinkius compresses data between your apps and your AI automatically. Lower bills every month — no configuration required.

Single dashboard

One

place for every integration

Every tool your AI connects to, managed from a single screen. One account, complete control.

Common questions about HackerOne MCP in VS Code Copilot

Save the configuration to `.vscode/mcp.json` and commit it to your repository. Every team member with the Copilot extension will instantly gain access to the tools.

Yes, run `award_bounty` from the Copilot chat to trigger researcher payouts. We recommend setting up strict repository permissions to control who can run this tool.

Querying `get_program` fetches your program's scope and policy rules directly into your chat. This helps developers confirm if a reported bug is within their team's responsibility.

Call `list_assets` to pull your program's defined targets. This lets your team quickly map incoming vulnerabilities to specific codebases.

Your vulnerability reports and bounty details are protected by Vinkius's secure sandbox. No sensitive security data is cached or used to train models, keeping your bug bounty program fully confidential.

Use it with your favorite AI tools

Connect this server to Cursor, Claude, VS Code, and more.

OpenAI Agents SDK sdk-python

Google ADK sdk-python

Pydantic AI sdk-python

Vercel AI SDK sdk-typescript