HackerOne MCP Server

Local setup required. This server has to be cloned and prepared on your machine before you register it in Claude Code.
1

Set the server up locally

Run this once to clone and prepare the server before adding it to Claude Code.

Run in terminal
git clone https://github.com/Sicks3c/hackerone-mcp-server.git
cd hackerone-mcp-server
npm install
npm run build
2

Register it in Claude Code

After the local setup is done, run this command to point Claude Code at the built server.

Run in terminal
claude mcp add -e "H1_USERNAME=${H1_USERNAME}" -e "H1_API_TOKEN=${H1_API_TOKEN}" hackerone -- node "<FULL_PATH_TO_HACKERONE_MCP_SERVER>/dist/index.js"

Replace <FULL_PATH_TO_HACKERONE_MCP_SERVER>/dist/index.js with the actual folder you prepared in step 1.

Required:H1_USERNAMEH1_API_TOKEN
README.md

Live access to your HackerOne reports, programs, earnings, and scope data

HackerOne MCP Server

Disclaimer: This is an unofficial, community-built project. It is not affiliated with, endorsed by, or maintained by HackerOne. "HackerOne" is a trademark of HackerOne, Inc. This project simply integrates with their publicly documented Hacker API.

MCP server that gives Claude Code (or any MCP client) live access to your HackerOne reports, programs, earnings, and scope data via the HackerOne API.

Setup

1. Get your HackerOne API token

Go to HackerOne > Settings > API Token and generate one.

2. Install and build

git clone https://github.com/Sicks3c/hackerone-mcp-server.git
cd hackerone-mcp-server
npm install
npm run build

3. Add to Claude Code

claude mcp add hackerone \
  -e H1_USERNAME=your-username \
  -e H1_API_TOKEN=your-api-token \
  -s user \
  -- node /path/to/hackerone-mcp-server/dist/index.js

Or add manually to ~/.claude.json:

{
  "mcpServers": {
    "hackerone": {
      "command": "node",
      "args": ["/path/to/hackerone-mcp-server/dist/index.js"],
      "env": {
        "H1_USERNAME": "your-username",
        "H1_API_TOKEN": "your-api-token"
      }
    }
  }
}

4. Verify

claude
> /mcp
# You should see "hackerone" listed with 9 tools

Tools

Tool Description
search_reports Search and filter your reports by keyword, program, severity, or state
get_report Get full report details by ID (title, vuln info, severity, timestamps)
get_report_with_conversation Get a report with its triage conversation thread
get_report_activities Get activity timeline (comments, state changes, bounties)
list_programs List bug bounty programs you have access to
analyze_report_patterns Analyze your hunting patterns (severity distribution, top programs, weakness types)
get_program_scope Get in-scope assets for a program (asset types, bounty eligibility, severity caps)
get_program_weaknesses Get accepted CWE/weakness types for a program
get_earnings Get your bounty earnings history (amounts, dates, programs)

Usage Examples

Search reports by program:

Search my reports for the ipc-h1c-aws-tokyo-2026 program

Draft a report matching your style:

Find my resolved critical reports and use the same structure to draft a new report for this SSRF I found.

Learn from triage conversations:

Show me the triage conversation on report #2345678. What questions did they ask?

Check program scope before reporting:

What assets are in scope for the uber program?

Track earnings:

Show my recent bounty earnings

Analyze patterns:

Analyze my report patterns — what severity gets resolved most?

How It Works

  • Connects to the HackerOne Hacker API v1 using your personal API token
  • Runs locally over stdio — your credentials never leave your machine
  • Read-only — cannot submit, modify, or delete reports
  • Filtering (program, severity, state, keyword) is done client-side since the hacker API only supports pagination

License

MIT

Tools (9)

search_reportsSearch and filter your reports by keyword, program, severity, or state
get_reportGet full report details by ID
get_report_with_conversationGet a report with its triage conversation thread
get_report_activitiesGet activity timeline including comments, state changes, and bounties
list_programsList bug bounty programs you have access to
analyze_report_patternsAnalyze your hunting patterns like severity distribution and top programs
get_program_scopeGet in-scope assets for a program
get_program_weaknessesGet accepted CWE/weakness types for a program
get_earningsGet your bounty earnings history

Environment Variables

H1_USERNAMErequiredYour HackerOne username
H1_API_TOKENrequiredYour HackerOne API token

Configuration

claude_desktop_config.json
{"mcpServers": {"hackerone": {"command": "node", "args": ["/path/to/hackerone-mcp-server/dist/index.js"], "env": {"H1_USERNAME": "your-username", "H1_API_TOKEN": "your-api-token"}}}}

Try it

Search my reports for the ipc-h1c-aws-tokyo-2026 program
What assets are in scope for the uber program?
Analyze my report patterns — what severity gets resolved most?
Show me the triage conversation on report #2345678
Show my recent bounty earnings

Frequently Asked Questions

What are the key features of HackerOne?

Read-only access to HackerOne reports and triage conversations. Retrieve program scope and accepted weakness types. Analyze personal hunting patterns and severity distributions. Track bounty earnings history. Local execution via stdio for credential security.

What can I use HackerOne for?

Quickly checking if a specific asset is in scope before starting a hunt. Reviewing past triage conversations to improve report writing style. Analyzing historical bounty data to identify which programs are most profitable. Filtering through large volumes of reports to find specific vulnerabilities.

How do I install HackerOne?

Install HackerOne by running: git clone https://github.com/Sicks3c/hackerone-mcp-server.git && cd hackerone-mcp-server && npm install && npm run build

What MCP clients work with HackerOne?

HackerOne works with any MCP-compatible client including Claude Desktop, Claude Code, Cursor, and other editors with MCP support.

Turn this server into reusable context

Keep HackerOne docs, env vars, and workflow notes in Conare so your agent carries them across sessions.

Need the old visual installer? Open Conare IDE.
Open Conare
View all other servers →

Related MCP Servers

Nuclear
Free, open-source music player without ads or tracking.
other17.1K stars
Domain Check
Fast domain availability checker with RDAP/WHOIS lookup and batch checking.
other253 stars
US Government Open Data MCP
MCP Server + TypeScript SDK for 40+ U.S. Government APIs
other90 stars
Garmin Connect
Access your fitness, health, and training data from MCP clients.
other71 stars
BinjaLattice MCP
Secure communication protocol for Binary Ninja and MCP servers
other61 stars
Ghidra Headless MCP
Headless Ghidra server for AI-driven reverse engineering and analysis
other46 stars