HackerOne MCP. Triage Reports, Manage Bounties, Track Payments.
HackerOne connects your security team directly to bug bounty program operations. Use this MCP to manage vulnerabilities, track assets, and handle payments without leaving your chat window. You can list reports, change their status, add comments, award bounties, and view payment history—all through natural conversation.
Claude 
ChatGPT 
Cursor 
Gemini 
Windsurf 
VS Code 
JetBrains 
Vercel Give Claude and any AI agent real-world access
Retrieve lists of submitted bug bounty reports or pull detailed information about a specific finding.
List and monitor the defined assets within your security programs to understand scope reachability.
Change a report's official state (like triaged) or add internal comments to communicate with researchers.
Access the history of bounty payments and award rewards directly for specific vulnerability reports.
List all available bug bounty or VDP programs you have access to, along with their structured assets.
Ask an AI about this
Waiting for input…
What AI agents can do with HackerOne: 10 Tools for Security Ops
These tools give you granular control over every aspect of bug bounty management—from listing reports to awarding bounties and checking asset scope.
Make your AI actually useful.
Add this MCP to Claude, Cursor, or Windsurf and your AI stops guessing. It gets real tools to look things up, take action, and handle the stuff you keep doing by hand.
Start using HackerOne MCPAdd Report Comment
Allows you to add a specific comment directly to any vulnerability report.
Award Bounty
Processes and awards a bounty payment for a designated vulnerability report.
Change Report State
Updates the official state of a vulnerability report, such as marking it triaged or...
Get Program
Retrieves detailed information about a specific security program you manage.
Get Report
Pulls comprehensive details for one particular vulnerability report ID.
List Assets
Generates a list of assets defined in your security programs, helping map out coverage.
List Hacktivity
Pulls the recent internal or public hacktivity feed to see what's been discovered lately.
List Payments
Retrieves a history of all bounty payments made through HackerOne.
List Programs
Shows you a list of bug bounty or VDP programs that are available to your account.
List Reports
Lists all vulnerability reports submitted within the scope of your current HackerOne...
Security and governance baked right in.
Pick your AI client below to get set up. Just create a Vinkius account, subscribe, and you're instantly up and running. We handle the entire backend infrastructure, delivering out-of-the-box support for HTTPS Streamable, SSE, and OAuth2—zero messy routing required.
Claude AI
Open Claude Settings
Go to claude.ai, click your profile icon, then navigate to Customize → Connectors.
Add Custom Connector
Click the "+" button and select Add custom connector. Paste your Vinkius endpoint URL:
https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp
Replace [YOUR_TOKEN_HERE] with your token
from cloud.vinkius.com. For OAuth-protected servers, expand
Advanced settings to add credentials.
Start a conversation
Open a new chat. The HackerOne integration is available immediately — no restart needed.
Choose How to Get Started
Build a custom MCP for your own tools, or connect a ready-made integration from our catalog.
Build Your Own
Turn any API into an MCP. Import a spec, define Agent Skills, or deploy with MCPFusion.
- Import from OpenAPI, Swagger, or YAML specs
- Create Agent Skills with progressive disclosure
- Deploy to edge with MCPFusion framework
- Built in DLP, auth, and compliance on each call
- Real time usage dashboard and cost metering
- Publish to catalog or keep private
Make Your AI Do More
Start with HackerOne, then connect any of our 5,200+ other servers whenever your AI needs more. One click, no limits.
- Use this MCP plus 5,200+ others, all in one place
- Add new capabilities to your AI anytime you want
- Connections are secured and governed automatically
- Track usage and costs across all your servers
- Works with Claude, ChatGPT, Cursor, and more
- New servers added to the catalog weekly
Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by HackerOne. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.
VINKIUS CLOUD
Cloud Hosted
Managed infra
V8 Isolated
Sandboxed per request
Zero-Trust Proxy
No stored credentials
DLP Enforced
Policy on each call
GDPR Compliant
EU data residency
Token Compression
~60% cost reduction
The pain of managing security reports across five tabs
Right now, triaging a report feels like juggling. You start on the main dashboard to list submissions, then click into a specific vulnerability to read details, and if you need to update its status, you have to switch to another tab. To communicate with the researcher or your internal team, you copy-paste notes into a separate chat tool. It's slow, error-prone, and takes you out of flow.
With this MCP, all those steps happen in one place. You tell your agent what needs doing—for example, 'Check report 12345 for details and change its state to resolved.' The agent handles the data retrieval and the status update without you ever leaving the conversation window.
HackerOne MCP: Direct Bounties and Triage Status
You don't have to manually award bounties or track payments. You just ask your agent to `award_bounty` for the specific report ID, and it processes the payment record instantly. Need to communicate a status change? Use `change_report_state`—it updates the system and logs an internal note automatically.
What's different now is that you move from being a data copy-paster to a decision-maker. Your agent manages the tedious mechanical steps, letting you focus on what matters: fixing the vulnerability.
What HackerOne MCP does for your AI
This MCP lets you run your vulnerability management workflows inside any AI client. You connect your organization account to get full control over bug bounty programs. Forget switching between report tabs and internal dashboards just to triage a finding. Your agent acts like a dedicated Security Program Manager, handling the day-to-day operations in real time.
You can list all submitted vulnerability reports or retrieve deep details on a specific one. Need to update something? You can change a report's state—marking it as triaged or resolved—and even award bounties directly from the chat. The system also lets you interact with asset definitions, check internal hacktivity feeds for recent discoveries, and monitor payment history.
By connecting through Vinkius, this MCP gives your agent immediate access to all necessary program insights, making communication and workflow management simple.
019d75ad-997e-719f-9dd9-04d7c22199cf 
How to set up HackerOne MCP
The bottom line is you manage complex security programs and communications entirely through conversation, without ever opening the HackerOne website.
Subscribe to this MCP and provide your HackerOne API Token Identifier and Value.
Your AI client connects the credentials, giving it read/write access to your bug bounty program data.
You simply ask your agent to perform an action—like 'List all high-severity reports from last week'—and get instant results.
Who uses HackerOne MCP
This MCP is built for people who live in a constant state of triage. If you're spending your Tuesday afternoons clicking between dashboards to track reports, manage bounties, and update statuses, this tool saves you hours.
You use it to automate the process of awarding bounties, communicating status updates, and keeping a real-time overview of program health.
You rely on it to instantly pull report details and severity ratings during triage, ensuring you don't miss critical information.
You use it to maintain a quick, actionable overview of incoming vulnerabilities and program performance without having to read dozens of detailed reports manually.
Benefits of connecting HackerOne MCP
You instantly get a full list of submitted vulnerability reports and can pull deep details on any single finding using tools like list_reports and get_report. This eliminates the need to navigate multiple program dashboards just to see report metadata.
Bounty management becomes conversational. You can award bounties via award_bounty, update a report's status with change_report_state, or add internal notes using add_report_comment—all in one chat session.
Financial tracking is immediate. Instead of downloading CSV exports, you use list_payments to get the history of bounty payouts and monitor your rewards efficiently right from your agent.
Program scope remains clear. You can list available programs (list_programs) and check defined assets (list_assets) so that every security action is fully scoped before it starts.
Stay up-to-date without clicking anything. Use list_hacktivity to pull the latest internal or public discoveries, keeping your entire team informed on recent activity.
HackerOne MCP use cases
Handling a High-Severity Submission
A researcher submits a high-severity bug. Instead of manually checking the report ID and then opening a ticket to update its status, you ask your agent for details using get_report. You confirm it's critical, use change_report_state to mark it as 'Triaged', and immediately follow up with an internal note via add_report_comment telling the development team what to do next.
Running Monthly Financial Audits
It’s time to audit payouts. Instead of logging into the payments tab, you ask your agent to list all recent bounties using list_payments. You can then cross-reference this data with get_program details to ensure every reward aligns with the active program scope.
Onboarding a New Team Member
A new engineer needs a quick overview of current vulnerabilities. Instead of giving them access to 10 separate reports, you ask your agent to list all open vulnerability submissions (list_reports). The results give them an immediate, actionable snapshot of the program's overall health.
Validating Program Scope
Before starting a new research sprint, you need to ensure coverage. You ask your agent to list all defined assets (list_assets) and compare that against the existing programs using get_program details. This quickly validates if the scope covers everything needed.
HackerOne MCP tradeoffs
What to watch out for, and the recommended way to handle each one.
Manual report tracking
Jumping between HackerOne's main dashboard, the payments tab, and internal ticketing systems to figure out a report's status and who needs to be notified.
Use your agent to pull specific data. First, use get_report for details. Then, if necessary, use add_report_comment or change_report_state. Everything stays in the chat.
Ignoring payment history
Assuming a bounty was paid just because it was reported; having to manually check transaction logs later.
Always use list_payments to get an immediate and accurate historical record of all payouts. This confirms the financial state right away.
Overlooking program boundaries
Attempting to award a bounty or update a report that falls outside the officially defined scope.
First, use list_programs and then check get_program to confirm the official rules. This prevents accidental out-of-scope actions.
When to use HackerOne MCP
Use this MCP if your workflow requires constant switching between status updates, asset checking, bug reporting, and financial tracking for a vulnerability program. You need an agent that acts as a single point of truth for all these functions. Don't use it just because you want to read reports; use get_report or list_reports. If your primary goal is only generating code based on findings, look at generic API connectors instead. This MCP is about operational management and communication flow, not just data retrieval.
Frequently asked questions about HackerOne MCP
How can I list all my open bug bounty reports using HackerOne MCP? +
You use the list_reports tool. This function pulls a comprehensive list of every submission tied to your active program, giving you an immediate overview of what needs attention.
Does HackerOne MCP let me change a report status? +
Yes, you can use change_report_state. This tool updates the official status of a vulnerability report (like 'Triaged' or 'Resolved') and logs it for compliance records.
How do I check past payments with HackerOne MCP? +
To review payouts, use list_payments. This function retrieves the entire history of bounty rewards associated with your program, helping you audit expenses quickly.
Can I add a comment to a report using this MCP? +
Yes, that's what add_report_comment is for. You can communicate notes or internal findings directly into the record without needing to open the external platform.
What information does HackerOne MCP provide about programs? +
You can use list_programs to see all available programs and get_program for deep details on a specific program's rules, scope, and assets.