Skip to content

GameZoneHacker/HackerOne-MCP

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
.gitignore
.gitignore
 
 
.mcp.json
.mcp.json
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
requirements.txt
requirements.txt
 
 
server.py
server.py
 
 

Repository files navigation

HackerOne MCP

A comprehensive Model Context Protocol server for the HackerOne API. It exposes both the Hacker API (researcher self-view) and the Customer API (program owner / triager) surfaces as MCP tools, plus offline tooling for full-text search over publicly-disclosed reports and an attack-briefing workflow.

Drop it into any MCP-compatible client (Claude Code, Claude Desktop, etc.) and drive HackerOne from natural language: triage reports, award bounties, study disclosed write-ups, or build a recon briefing for a program.

Features

  • 48 tools, all namespaced hackerone_* to avoid collisions with other MCP servers.
  • Hacker API — your profile, programs you can access, scopes, weaknesses, balances, earnings, payouts, hacktivity, and report submission/search.
  • Customer API — report triage, state changes, comments, bounty/swag awards, participants, retest/disclosure requests, audit log, program members, bounty tables, and more (requires appropriate program permissions).
  • Offline disclosed-report search — full-text (SQLite FTS5) search over a local cache of publicly-disclosed reports, for studying real-world exploitation techniques.
  • hackerone_hack briefing — pulls fresh scopes, cross-references your past findings, suggests weakness types that paid off elsewhere, and surfaces relevant disclosed reports.
  • Escape hatchhackerone_api_request for any endpoint not yet wrapped by a tool.
  • Markdown or JSON responses, automatic pagination, and 429 rate-limit retries.

Requirements

  • Python 3.10+
  • A HackerOne account with an API token

Installation

git clone <your-fork-url> HackerOne-MCP
cd HackerOne-MCP

python3 -m venv venv
source venv/bin/activate          # Windows: venv\Scripts\activate
pip install -r requirements.txt

Authentication

HackerOne uses HTTP Basic Auth where the username is your API identifier and the password is your API token. Create a token at https://hackerone.com/settings/api_token/edit and provide both values via environment variables:

Variable Description
H1_USERNAME Your API identifier
H1_API_TOKEN Your API token
H1_BASE_URL Optional. Defaults to https://api.hackerone.com/v1

Never commit your token. Keep it in your MCP client config or a .env file (already git-ignored).

Usage

Register the server with your MCP client. An example .mcp.json is included in this repo:

{
  "mcpServers": {
    "hackerone-mcp": {
      "type": "stdio",
      "command": "$PWD/venv/bin/python",
      "args": ["$PWD/server.py"],
      "env": {
        "H1_USERNAME": "your-api-identifier",
        "H1_API_TOKEN": "your-api-token"
      }
    }
  }
}

Replace the placeholder values, and adjust the paths to point at your virtualenv's Python and server.py. For Claude Desktop, add an equivalent entry to its claude_desktop_config.json.

You can also run the server directly to confirm it starts:

H1_USERNAME=... H1_API_TOKEN=... ./venv/bin/python server.py

Local data

The server creates two local SQLite databases next to server.py:

  • h1_data.db — a cache populated by the fetch tools (your rewarded reports, programs, and scopes).
  • disclosed_reports.db — an offline cache of publicly-disclosed reports used by hackerone_search_disclosed_reports and hackerone_get_disclosed_report. Populate it yourself; the search tools return empty results until it contains data.

Both files are git-ignored because they can contain private report and program data.

Tool overview

Area Example tools
Profile & access hackerone_get_me, hackerone_list_hacker_programs, hackerone_list_hacker_invitations
Programs & scopes hackerone_get_program, hackerone_fetch_program_scopes, hackerone_list_scope_exclusions, hackerone_get_program_weaknesses
Reports (hacker) hackerone_create_report, hackerone_search_my_reports, hackerone_get_my_report, hackerone_get_report_live
Triage (customer) hackerone_change_state, hackerone_add_comment, hackerone_award_bounty, hackerone_award_swag, hackerone_request_retest, hackerone_escalate_report
Finance hackerone_get_payment_balance, hackerone_list_earnings, hackerone_list_payouts, hackerone_get_program_balance
Research hackerone_get_hacktivity, hackerone_search_disclosed_reports, hackerone_get_disclosed_report, hackerone_hack
Escape hatch hackerone_api_request

Disclaimer

This is an unofficial, community project and is not affiliated with or endorsed by HackerOne. Use it only against programs and assets you are authorized to test, and in accordance with HackerOne's terms and each program's policy.

License

Released under the MIT License.

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages