Skip to content

bountylens/mcp

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
.github
.github
 
 
src
src
 
 
.gitignore
.gitignore
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
glama.json
glama.json
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 
tsconfig.json
tsconfig.json
 
 

Repository files navigation

@bountylens/mcp

MCP server for BountyLens — connect Claude Code to your Hunter Tracker.

Push findings, leads, tested endpoints, and full report drafts directly from your terminal to the BountyLens dashboard. Everything you log during a hunt session appears in real-time in the web UI with an MCP badge.

Quick Start

1. Get an API key

Go to bountylens.com/dashboard/settingsIntegrationsGenerate New API Key.

Copy the key — it's only shown once.

2. Add to Claude Code

Add to your MCP config at ~/.claude/.mcp.json:

{
  "mcpServers": {
    "bountylens": {
      "command": "npx",
      "args": ["-y", "@bountylens/mcp"],
      "env": {
        "BOUNTYLENS_API_KEY": "bl_your_key_here"
      }
    }
  }
}

3. Restart Claude Code

The BountyLens tools will be available immediately. No other setup needed.

Tools

Sessions

Tool Description
bountylens_list_sessions List hunt sessions — filter by status (active/paused/completed) or program_id
bountylens_create_session Start a new hunt session with a title and optional program
bountylens_get_session Get a session with all its entries and counts
bountylens_update_session Update title, status, or notes
bountylens_delete_session Permanently delete a session and all its entries and reports

Entries

Tool Description
bountylens_list_entries List entries in a session — filter by type (tested/lead/finding/note)
bountylens_add_finding Log a validated finding with severity, endpoint, method, and description
bountylens_add_lead Log a promising lead that needs further investigation
bountylens_add_tested Mark an endpoint or feature as tested
bountylens_add_note Add a freeform note to the session
bountylens_update_entry Update an entry's title, description, status, or severity
bountylens_delete_entry Remove an entry
bountylens_bulk_add_entries Add up to 50 entries in one call — for batch logging findings, leads, or tested endpoints

Reports

Tool Description
bountylens_draft_report Create a report draft — include summary, steps to reproduce, impact, and remediation
bountylens_list_reports List all report drafts in a session
bountylens_update_report Edit a report's title, body, or status (draft/ready/submitted)
bountylens_delete_report Permanently delete a report

Programs

Tool Description
bountylens_search_programs Search bug bounty programs by name or handle

Usage Examples

During a hunt in Claude Code, the LLM uses these tools automatically based on your instructions:

"List my active sessions"
→ bountylens_list_sessions with status=active

"Save this XSS finding to my Shopify session"
→ bountylens_add_finding with title, severity, endpoint, description

"What leads do I have open on the Uber hunt?"
→ bountylens_list_entries with type=lead

"Mark /api/auth as tested, CSRF tokens are present"
→ bountylens_add_tested with endpoint and description

"Draft a report for the SSRF finding"
→ bountylens_draft_report with full report body

"Push reports/ssrf-uber.md to my Uber session"
→ reads the file, calls bountylens_draft_report with contents

Environment Variables

Variable Required Default Description
BOUNTYLENS_API_KEY Yes API key from dashboard settings
BOUNTYLENS_URL No https://bountylens.com Custom instance URL (self-hosted)

API Reference

The MCP server wraps the BountyLens API v1. All endpoints require a Bearer token in the Authorization header.

GET    /api/v1/sessions                         — list sessions
POST   /api/v1/sessions                         — create session
GET    /api/v1/sessions/:id                      — get session + entries
PUT    /api/v1/sessions/:id                      — update session
DELETE /api/v1/sessions/:id                      — delete session
GET    /api/v1/sessions/:id/entries              — list entries
POST   /api/v1/sessions/:id/entries              — create entry
POST   /api/v1/sessions/:id/entries/bulk         — bulk create entries (max 50)
PUT    /api/v1/sessions/:id/entries/:entryId     — update entry
DELETE /api/v1/sessions/:id/entries/:entryId     — delete entry
GET    /api/v1/sessions/:id/reports              — list reports
POST   /api/v1/sessions/:id/reports              — create report
PUT    /api/v1/sessions/:id/reports/:reportId    — update report
DELETE /api/v1/sessions/:id/reports/:reportId    — delete report
GET    /api/v1/programs?q=search                 — search programs

Rate limit: 60 requests/minute per API key.

Security

  • API keys are SHA-256 hashed in the database — never stored in plaintext
  • Keys are shown once on creation and cannot be retrieved
  • All queries are parameterized — no SQL injection
  • Every request verifies resource ownership — no IDOR
  • Pro subscription is validated on every API call
  • Rate limited to prevent abuse

Requirements

  • Node.js 18+
  • BountyLens Pro subscription
  • API key from the dashboard

Contributing

We welcome contributions. See CONTRIBUTING.md for guidelines.

License

MIT — see LICENSE

About

BountyLens MCP server — connect Claude Code to your Hunter Tracker

Resources

Readme

License

MIT license

Contributing

Contributing
Activity
Custom properties

Stars

65 stars

Watchers

0 watching

Forks

13 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages