# HackerOne MCP

> HackerOne connects your security team directly to bug bounty program operations. Use this MCP to manage vulnerabilities, track assets, and handle payments without leaving your chat window. You can list reports, change their status, add comments, award bounties, and view payment history—all through natural conversation.

## Overview
- **Category:** fort-knox
- **Price:** Free
- **Tags:** bug-bounty, vulnerability-management, security-research, penetration-testing, incident-response

## Description

This MCP lets you run your vulnerability management workflows inside any AI client. You connect your organization account to get full control over bug bounty programs. Forget switching between report tabs and internal dashboards just to triage a finding. Your agent acts like a dedicated Security Program Manager, handling the day-to-day operations in real time.

You can list all submitted vulnerability reports or retrieve deep details on a specific one. Need to update something? You can change a report's state—marking it as triaged or resolved—and even award bounties directly from the chat. The system also lets you interact with asset definitions, check internal hacktivity feeds for recent discoveries, and monitor payment history. By connecting through Vinkius, this MCP gives your agent immediate access to all necessary program insights, making communication and workflow management simple.

## Tools

### add_report_comment
Allows you to add a specific comment directly to any vulnerability report.

### award_bounty
Processes and awards a bounty payment for a designated vulnerability report.

### change_report_state
Updates the official state of a vulnerability report, such as marking it triaged or resolved.

### get_program
Retrieves detailed information about a specific security program you manage.

### get_report
Pulls comprehensive details for one particular vulnerability report ID.

### list_assets
Generates a list of assets defined in your security programs, helping map out coverage.

### list_hacktivity
Pulls the recent internal or public hacktivity feed to see what's been discovered lately.

### list_payments
Retrieves a history of all bounty payments made through HackerOne.

### list_programs
Shows you a list of bug bounty or VDP programs that are available to your account.

### list_reports
Lists all vulnerability reports submitted within the scope of your current HackerOne program.

## Prompt Examples

**Prompt:** 
```
List all vulnerability reports submitted this week.
```

**Response:** 
```
I've retrieved your reports. You have 5 new submissions this week, including 'SQL Injection in /api/v1/users' (High) and 'BOLA in account settings' (Medium). Would you like to see the details for the High severity report?
```

**Prompt:** 
```
Award a $500 bounty to report ID 12345.
```

**Response:** 
```
Bounty awarded! I've successfully processed a $500 reward for report 12345. The researcher has been notified. Should I add a comment to the report as well?
```

**Prompt:** 
```
Change the state of report 12345 to 'Triaged'.
```

**Response:** 
```
State updated! Report 12345 is now marked as 'Triaged'. I've also added an internal note for the security team. What's the next step for this report?
```

## Capabilities

### Reviewing vulnerability reports
Retrieve lists of submitted bug bounty reports or pull detailed information about a specific finding.

### Managing program assets
List and monitor the defined assets within your security programs to understand scope reachability.

### Updating report status and communication
Change a report's official state (like triaged) or add internal comments to communicate with researchers.

### Handling payments and bounties
Access the history of bounty payments and award rewards directly for specific vulnerability reports.

### Monitoring program scope
List all available bug bounty or VDP programs you have access to, along with their structured assets.

## Use Cases

### Handling a High-Severity Submission
A researcher submits a high-severity bug. Instead of manually checking the report ID and then opening a ticket to update its status, you ask your agent for details using `get_report`. You confirm it's critical, use `change_report_state` to mark it as 'Triaged', and immediately follow up with an internal note via `add_report_comment` telling the development team what to do next.

### Running Monthly Financial Audits
It’s time to audit payouts. Instead of logging into the payments tab, you ask your agent to list all recent bounties using `list_payments`. You can then cross-reference this data with `get_program` details to ensure every reward aligns with the active program scope.

### Onboarding a New Team Member
A new engineer needs a quick overview of current vulnerabilities. Instead of giving them access to 10 separate reports, you ask your agent to list all open vulnerability submissions (`list_reports`). The results give them an immediate, actionable snapshot of the program's overall health.

### Validating Program Scope
Before starting a new research sprint, you need to ensure coverage. You ask your agent to list all defined assets (`list_assets`) and compare that against the existing programs using `get_program` details. This quickly validates if the scope covers everything needed.

## Benefits

- You instantly get a full list of submitted vulnerability reports and can pull deep details on any single finding using tools like `list_reports` and `get_report`. This eliminates the need to navigate multiple program dashboards just to see report metadata.
- Bounty management becomes conversational. You can award bounties via `award_bounty`, update a report's status with `change_report_state`, or add internal notes using `add_report_comment`—all in one chat session.
- Financial tracking is immediate. Instead of downloading CSV exports, you use `list_payments` to get the history of bounty payouts and monitor your rewards efficiently right from your agent.
- Program scope remains clear. You can list available programs (`list_programs`) and check defined assets (`list_assets`) so that every security action is fully scoped before it starts.
- Stay up-to-date without clicking anything. Use `list_hacktivity` to pull the latest internal or public discoveries, keeping your entire team informed on recent activity.

## How It Works

The bottom line is you manage complex security programs and communications entirely through conversation, without ever opening the HackerOne website.

1. Subscribe to this MCP and provide your HackerOne API Token Identifier and Value.
2. Your AI client connects the credentials, giving it read/write access to your bug bounty program data.
3. You simply ask your agent to perform an action—like 'List all high-severity reports from last week'—and get instant results.

## Frequently Asked Questions

**How can I list all my open bug bounty reports using HackerOne MCP?**
You use the `list_reports` tool. This function pulls a comprehensive list of every submission tied to your active program, giving you an immediate overview of what needs attention.

**Does HackerOne MCP let me change a report status?**
Yes, you can use `change_report_state`. This tool updates the official status of a vulnerability report (like 'Triaged' or 'Resolved') and logs it for compliance records.

**How do I check past payments with HackerOne MCP?**
To review payouts, use `list_payments`. This function retrieves the entire history of bounty rewards associated with your program, helping you audit expenses quickly.

**Can I add a comment to a report using this MCP?**
Yes, that's what `add_report_comment` is for. You can communicate notes or internal findings directly into the record without needing to open the external platform.

**What information does HackerOne MCP provide about programs?**
You can use `list_programs` to see all available programs and `get_program` for deep details on a specific program's rules, scope, and assets.