/ Каталог / Песочница / h1-brain
← Все серверы ↗ GitHub
● Сообщество PatrikFehrenbach ⚡ Сразу

h1-brain

автор PatrikFehrenbach · PatrikFehrenbach/h1-brain

AI-powered bug bounty assistant — synthesizes your HackerOne history with 3,600+ disclosed reports to generate attack briefings.

h1-brain is an MCP server that connects AI assistants to HackerOne's bug bounty platform. It maintains dual databases: your personal bounty history (rewarded reports, program scopes) and 3,600+ publicly disclosed reports. The hack(handle) tool generates comprehensive attack briefings combining scope, past findings, weakness patterns, and untouched assets.

▶ Смотреть демо 📦 Установить 💡 Сценарии

Зачем использовать

Ключевые функции

Живое демо

Как выглядит на практике

h1-brain.replay ▶ готово
0/0

Установка

Выберите клиент

~/Library/Application Support/Claude/claude_desktop_config.json  · Windows: %APPDATA%\Claude\claude_desktop_config.json
{
  "mcpServers": {
    "h1-brain": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/PatrikFehrenbach/h1-brain"
      ]
    }
  }
}

Откройте Claude Desktop → Settings → Developer → Edit Config. Перезапустите после сохранения.

~/.cursor/mcp.json · .cursor/mcp.json
{
  "mcpServers": {
    "h1-brain": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/PatrikFehrenbach/h1-brain"
      ]
    }
  }
}

Cursor использует ту же схему mcpServers, что и Claude Desktop. Конфиг проекта приоритетнее глобального.

VS Code → Cline → MCP Servers → Edit
{
  "mcpServers": {
    "h1-brain": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/PatrikFehrenbach/h1-brain"
      ]
    }
  }
}

Щёлкните значок MCP Servers на боковой панели Cline, затем "Edit Configuration".

~/.codeium/windsurf/mcp_config.json
{
  "mcpServers": {
    "h1-brain": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/PatrikFehrenbach/h1-brain"
      ]
    }
  }
}

Тот же формат, что и Claude Desktop. Перезапустите Windsurf для применения.

~/.continue/config.json
{
  "mcpServers": [
    {
      "name": "h1-brain",
      "command": "TODO",
      "args": [
        "See README: https://github.com/PatrikFehrenbach/h1-brain"
      ]
    }
  ]
}

Continue использует массив объектов серверов, а не map.

~/.config/zed/settings.json
{
  "context_servers": {
    "h1-brain": {
      "command": {
        "path": "TODO",
        "args": [
          "See README: https://github.com/PatrikFehrenbach/h1-brain"
        ]
      }
    }
  }
}

Добавьте в context_servers. Zed перезагружается автоматически.

claude mcp add h1-brain -- TODO 'See README: https://github.com/PatrikFehrenbach/h1-brain'

Однострочная команда. Проверить: claude mcp list. Удалить: claude mcp remove.

Сценарии использования

Реальные сценарии: h1-brain

Generate an attack briefing for an authorized bug bounty program

👤 Bug bounty hunters working on authorized HackerOne programs ⏱ ~15 min intermediate

Когда использовать: You're starting work on a new bug bounty target and want a strategic overview.

Предварительные требования
  • HackerOne API token — Generate at hackerone.com/settings/api_token
  • h1-brain installed and databases populated — Clone, install, run fetch_rewarded_reports to populate personal DB
Поток
  1. Generate the briefing
    hack('target-company') — Generate a full attack briefing for this program.✓ Скопировано
    → Comprehensive briefing with scope, known weakness patterns, untouched assets, and suggested attack vectors
  2. Cross-reference with disclosures
    Search disclosed reports for this company. What vulnerability types have been found before?✓ Скопировано
    → List of disclosed vulnerabilities with types and bounty amounts

Итог: A strategic attack plan based on historical data and current scope.

Подводные камни
  • Stale scope data — The tool fetches fresh scope from HackerOne API, but verify on the program page

Analyze your bug bounty track record to find your strengths

👤 Bug bounty hunters optimizing their approach ⏱ ~20 min beginner

Когда использовать: You want to understand which vulnerability types and programs earn you the most bounties.

Предварительные требования
  • Personal database populated — Run fetch_rewarded_reports to sync your history
Поток
  1. Review your history
    Search my rewarded reports. Group them by vulnerability type and show the total bounty per type.✓ Скопировано
    → Breakdown of earnings by vulnerability category
  2. Identify patterns
    Which programs am I most successful on? What do they have in common?✓ Скопировано
    → Pattern analysis across your most rewarded programs

Итог: Insight into your strengths to focus future hunting efforts.

Подводные камни
  • Old reports may not reflect current program scope — Re-fetch program scopes to get current assets

Комбинации

Сочетайте с другими MCP — эффект x10

h1-brain + filesystem

Save attack briefings and reports to organized files for each program

Generate an attack briefing for target-company and save it as ~/bounty/target-company/briefing.md.✓ Скопировано

Инструменты

Что предоставляет этот MCP

ИнструментВходные данныеКогда вызыватьСтоимость
hack handle: str Generate a comprehensive attack briefing for a HackerOne program Multiple API calls
search_reports query?: str Search your personal rewarded reports 0 (local DB)
search_disclosed_reports query?: str Search across 3,600+ public disclosures 0 (local DB)
search_programs query?: str Search bug bounty programs 0 (local DB)
fetch_rewarded_reports none Sync your HackerOne rewarded reports to local DB Multiple API calls

Стоимость и лимиты

Во что обходится

Квота API
HackerOne API rate limits apply during sync and scope fetching
Токенов на вызов
500–3000 tokens per briefing
Деньги
Free — HackerOne API access is free with your account
Совет
Populate the local databases once, then queries are free and instant. Re-sync periodically.

Безопасность

Права, секреты, радиус поражения

Минимальные скоупы: HackerOne API token with read access
Хранение учётных данных: API token in environment variable or Claude Desktop config
Исходящий трафик: API calls to HackerOne during sync and scope fetching. Local DB queries have no network calls.

Устранение неполадок

Частые ошибки и исправления

Empty personal database

Run fetch_rewarded_reports first to populate your local database from HackerOne.

Проверить: Check that h1_data.db file exists and has data
HackerOne API authentication failed

Verify your API token is valid and hasn't expired. Generate a new one at hackerone.com/settings/api_token.

Проверить: curl -H 'Authorization: ...' https://api.hackerone.com/v1/me
hack() returns empty briefing

The program handle may be incorrect. Search for the exact handle on HackerOne's directory.

Проверить: search_programs to find the correct handle

Альтернативы

h1-brain в сравнении

АльтернативаКогда использоватьКомпромисс
hexstrike-aiYou need active security scanning tools rather than HackerOne-specific intelligenceBroader tool coverage but no HackerOne integration or report history

Ещё

Ресурсы

📖 Читать официальный README на GitHub

🐙 Открытые задачи

🔍 Все 400+ MCP-серверов и Skills