# Bugcrowd MCP for AI Agents MCP

> Bugcrowd MCP connects your AI agents directly to Bugcrowd's entire security platform. You gain immediate access to manage bug bounty programs, track every vulnerability submission, and inspect target assets—all through natural conversation. It lets you orchestrate complex cybersecurity workflows without ever touching a dashboard.

## Overview
- **Category:** fort-knox
- **Price:** Free
- **Tags:** bug-bounty, vulnerability-management, security-testing, crowdsourced-security, incident-response, cybersecurity

## Description

Stop juggling tabs and copy-pasting data between your Bugcrowd console and your ticketing system. This MCP lets you run your entire bug bounty process directly from your AI agent. Instead of navigating through menus to see if a submission is triaged or what the scope of an active program is, you just ask. Your agent pulls the details on demand, giving you instant oversight of vulnerability reports, security programs, and specific assets.

For example, you can tell your agent to list all currently running bug bounty engagements, then ask for the full metadata on a single submission. It's like having an expert analyst sitting next to you who has immediate read-access to every piece of data. You get this power centralized through Vinkius, connecting it to any compatible AI client, letting your team stay focused on fixing bugs instead of finding reports.

## Tools

### create_submission
Allows you to quickly log a new vulnerability submission report into the system.

### get_engagement
Retrieves detailed information for one specific crowd bounty or penetration test engagement.

### get_organization_info
Pulls core configuration details and settings about your overall Bugcrowd organization account.

### get_program
Gets comprehensive details, including scopes and rewards, for a specific security program.

### get_submission
Retrieves all the detailed metadata associated with one particular vulnerability submission report.

### get_target
Gets full details about a specific asset or target that is in scope for testing.

### list_engagements
Lists all active crowd engagements, such as bug bounties and pen tests, currently running.

### list_programs
Retrieves a list of every security program you have set up on the platform.

### list_submissions
Lists all vulnerability submissions, giving you an overview of everything reported across your programs.

### list_targets
Provides a comprehensive list of every asset defined as 'in scope' for your organization or program.

## Prompt Examples

**Prompt:** 
```
Show me all active programs and if my main web app is listed as a target.
```

**Response:** 
```
**Active Programs:**
*   Vinkius Bounty (ID: prog_1)
*   Main Web App (ID: prog_2)
*   Legacy Systems (ID: prog_3)

**Target Check for 'Main Web App':**
Yes, the asset `web-app.company.com` is listed in scope under Program ID `prog_2`. The details show it supports authentication and accepts submissions.
```

**Prompt:** 
```
List all vulnerability reports submitted last week that haven't been triaged yet.
```

**Response:** 
```
**Vulnerability Submissions (Un-triaged)**
| Submission ID | Title | Program | Status |
| :--- | :--- | :--- | :--- |
| sub_99283 | XSS on Login Page | Main Web App | Unresolved |
| sub_10045 | Broken Auth Flow | Vinkius Bounty | Pending Review |
This list shows 2 findings needing immediate attention.
```

**Prompt:** 
```
I found a new bug in the legacy system. Can you log it now?
```

**Response:** 
```
**Submission Created Successfully**
The following vulnerability report has been logged:
*   **Title:** SQL Injection in /api endpoint
*   **Program:** Legacy Systems (prog_3)
*   **ID Assigned:** sub_99284

You can now track this finding's status using its new ID.
```

## Capabilities

### Track and Manage Vulnerability Submissions
List all bug reports across multiple programs or pull deep metadata for a single vulnerability submission.

### Orchestrate Security Programs
See which security programs are active, what their defined scopes are, and what rewards they offer.

### Monitor Bug Bounty Engagements
Get an overview of specific crowd executions or penetration tests that are currently running.

### Inspect Target Assets
View the complete inventory and detailed metadata for all assets in scope (targets) for your organization.

### Log New Vulnerability Reports
Quickly create a new submission record from an external source using plain language prompts.

## Use Cases

### A vulnerability manager needs to check if a newly found bug falls within program scope.
Instead of navigating multiple dashboards, the agent is asked: 'Does this specific flaw count for my main web app?' The agent runs `get_program` and checks the details against the submission metadata using `get_submission`, giving an immediate yes/no answer.

### A security engineer needs to start a new penetration test on assets that haven't been inventoried.
The agent runs `list_targets` first. After confirming the needed assets, they use `get_target` repeatedly for specific details before initiating the engagement through `list_engagements`.

### A CISO needs a quick overview of all active security tests across different teams.
The agent runs `list_programs` to see which programs are running, then uses `list_engagements` to pull the status and scope for every single bug bounty or pen test.

### A researcher finds a critical zero-day vulnerability while reviewing internal documentation.
They simply tell their agent: 'Log this finding now.' The agent uses `create_submission` to file the report immediately, ensuring it's logged with all necessary metadata.

## Benefits

- Stop manually checking submission statuses. You can list all vulnerability submissions or get deep details on a single report using the `list_submissions` or `get_submission` tools, making triage instantaneous.
- Never lose track of program boundaries again. Instantly view and retrieve detailed scope and reward information for any active security program by calling `get_program`.
- Coordination is simplified. Use `list_targets` to quickly see every asset in scope, or use `get_target` to inspect specific target details without leaving your chat window.
- Keep compliance current. Pull organizational settings and core account info using `get_organization_info`, giving you a single source of truth for governance.
- Improve reporting speed. You can create new findings directly via the `create_submission` tool, logging bugs instantly from an external source.

## How It Works

The bottom line is you use natural conversation to interact with complex security data that used to require manual dashboard navigation.

1. Subscribe to this MCP and provide your Bugcrowd API Access Token.
2. Connect the credentialed MCP to your preferred AI client (like Cursor or Claude).
3. Ask your agent a question, like 'List all active bug bounty programs,' and it returns the structured data directly.

## Frequently Asked Questions

**Can I check the scope of a security program using the agent?**
Yes! Use the `get_program` tool with the Program ID. Your agent will fetch the detailed metadata, including targets and scope descriptions, from Bugcrowd.

**How do I list all the vulnerability submissions for my account?**
Simply ask the agent to `list_submissions`. It will retrieve the latest vulnerability reports from your Bugcrowd account, including titles and statuses like 'triaged' or 'resolved'.

**Does the integration allow creating a new submission?**
Yes. Use the `create_submission` action and provide the title and description. You can also associate it with a specific program by providing the `program_id`.