HackerOne MCP Server
Enables MCP clients like Claude and Codex to interact with HackerOne's API to list and get reports, programs, and scopes.
README
HackerOne MCP Server
An MCP (Model Context Protocol) server that connects Claude, Codex, and other MCP clients to the HackerOne Hackers API.
Tools Available
| Tool | Description |
|---|---|
h1_list_reports |
List your reports, filterable by program, state, severity, page |
h1_get_report |
Get full details of a specific report by ID |
h1_get_program_scopes |
Get in-scope and out-of-scope assets for a program |
h1_get_program |
Get program details (policy, bounties, response stats) |
h1_list_programs |
List programs you have access to |
Setup
1. Install dependencies
cd hackerone-mcp
npm install
2. Get your HackerOne API credentials
- Go to https://hackerone.com/settings/api_token/edit
- Create a new API token
- Note your username and the generated token
Configuration
Claude Desktop
Edit your Claude Desktop config file:
- macOS:
~/Library/Application Support/Claude/claude_desktop_config.json - Windows:
%APPDATA%\Claude\claude_desktop_config.json
{
"mcpServers": {
"hackerone": {
"command": "node",
"args": ["/absolute/path/to/hackerone-mcp/index.js"],
"env": {
"HACKERONE_API_USERNAME": "your_api_token_identifier",
"HACKERONE_API_TOKEN": "your_api_token"
}
}
}
}
Restart Claude Desktop after saving.
Claude Code (CLI)
Run once to add the MCP server to your Claude Code config:
claude mcp add hackerone \
-e HACKERONE_API_USERNAME=your_api_token_identifier \
-e HACKERONE_API_TOKEN=your_api_token \
-- node /absolute/path/to/hackerone-mcp/index.js
Or set credentials as shell environment variables first:
export HACKERONE_API_USERNAME=your_api_token_identifier
export HACKERONE_API_TOKEN=your_api_token
claude mcp add hackerone -- node /absolute/path/to/hackerone-mcp/index.js
Verify it's registered:
claude mcp list
Codex CLI
Run once to add the MCP server to Codex:
codex mcp add hackerone \
--env HACKERONE_API_USERNAME=your_api_token_identifier \
--env HACKERONE_API_TOKEN=your_api_token \
-- node /absolute/path/to/hackerone-mcp/index.js
Or configure it directly in config.toml:
- macOS/Linux:
~/.codex/config.toml - Windows:
%USERPROFILE%\.codex\config.toml
[mcp_servers.hackerone]
command = "node"
args = ["/absolute/path/to/hackerone-mcp/index.js"]
[mcp_servers.hackerone.env]
HACKERONE_API_USERNAME = "your_api_token_identifier"
HACKERONE_API_TOKEN = "your_api_token"
Verify it's registered:
codex mcp list
In Codex TUI, run /mcp to view active MCP servers.
Other MCP Clients (generic stdio)
Pass the environment variables when launching:
HACKERONE_API_USERNAME=your_api_token_identifier \
HACKERONE_API_TOKEN=your_api_token \
node /path/to/hackerone-mcp/index.js
Or configure your client's MCP settings with:
- command:
node - args:
["/path/to/hackerone-mcp/index.js"] - env:
{ "HACKERONE_API_USERNAME": "...", "HACKERONE_API_TOKEN": "..." }
Example prompts
Once connected, you can ask your MCP client (Claude, Codex, etc.) things like:
- "List my open HackerOne reports"
- "Show me all critical severity reports"
- "Get the full details of report 12345"
- "What's in scope for the nodejs program?"
- "Show me the policy and bounty info for the security program"
- "List all programs I have access to"
Security Notes
- Never hardcode your API token in the source files
- Always use environment variables or your client's secrets manager
- Your API token provides full access to your HackerOne account — treat it like a password
Reliability settings (optional)
If you see intermittent failures (timeouts, 429 rate limits, transient 5xx), you can tune these environment variables:
HACKERONE_TIMEOUT_MS(default:20000) — per-request timeoutHACKERONE_MAX_RETRIES(default:2) — retries for 429/5xx and transient network errorsHACKERONE_RETRY_BASE_DELAY_MS(default:400) — initial backoff delayHACKERONE_RETRY_MAX_DELAY_MS(default:4000) — maximum backoff delay
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.