Summary

h1-brain connects AI assistants like Claude to HackerOne for bug bounty hunting. It consolidates personal bug bounty history, program scopes, and community-disclosed vulnerability data into a local SQLite database, enabling AI-driven analysis and actionable attack briefings for security researchers.

How It Works

An MCP server (server.py) interfaces with the HackerOne API, fetching program scopes and user reports into h1_data.db. It bundles disclosed_reports.db, containing 3,600+ public bounty reports. AI clients use the MCP protocol to query both datasets. The core hack(handle) tool synthesizes this data into comprehensive attack briefings, guiding AI agents in offensive security operations by combining personal insights with community knowledge.

Quick Start & Requirements

• Primary install/run: Clone repo, set up Python 3.10+ virtual environment, pip install -r requirements.txt, run server.py.
• Prerequisites: HackerOne API token.
• Dependencies: mcp, httpx.
• Setup: Requires cloning, venv setup, dependency installation, and AI client configuration (e.g., Claude Desktop/Code) with server command and credentials. Public reports DB is included.
• Links: HackerOne API token generation: https://hackerone.com/hacktivity/api

Highlighted Details

• hack(handle) generates detailed attack briefings integrating live scope, personal findings, weakness patterns, untouched assets, and public disclosures.
• Maintains two SQLite databases: h1_data.db (private user data) and disclosed_reports.db (public vulnerability write-ups).
• Offers dedicated tools for querying personal reports (e.g., search_reports) and public disclosures (e.g., search_disclosed_reports).
• Includes data synchronization tools (fetch_rewarded_reports, fetch_programs) for up-to-date personal data.

Maintenance & Community

Authored by Patrik Grobshäuser. The README does not specify community channels, active contributors, sponsorships, or a public roadmap.

Licensing & Compatibility

• License: MIT.
• Compatibility: MIT license permits broad usage, including commercial applications and linking within closed-source projects, requiring only attribution.

Limitations & Caveats

Integration is specific to MCP-compatible AI clients (e.g., Claude Desktop/Code). Users require a HackerOne account and API credentials. Briefing effectiveness depends on data completeness and AI model capabilities.