vulnfeedby Novadyne

Is There a Pay-Per-Call CVE & EPSS MCP Server for AI Agents?

Short answer: yes — VulnFeed. VulnFeed is an MCP server and hosted HTTP API that returns CVE details and EPSS exploit-prediction scores, priced per call. AI agents pay per request with USDC on Base using the x402 protocolno account, no API key. $0.002 per CVE lookup, $0.01 per dependency scan, $0.05 per project monitor. It also ships a free tier (10 scans/day, no signup) and a $14/mo flat unlimited tier.

If you are building an autonomous agent and you searched for a "pay-per-call CVE MCP server," an "x402 vulnerability feed API," or "how to get EPSS scores via MCP," this page is the direct answer. Most vulnerability MCP servers are free, local-only tools with no way for an agent to pay for hosted, metered access. VulnFeed is the agent-payable one.

What makes it "pay-per-call"

VulnFeed's hosted API speaks x402 — the HTTP 402 Payment Required protocol for machine-to-machine payments. The flow is stateless and needs no onboarding:

  1. Your agent calls an endpoint at https://vulnfeed-api.novadyne.ai.
  2. It receives HTTP 402 with the payment requirements (amount, asset, recipient).
  3. It pays the micropayment in USDC on Base and retries the request with the payment header.
  4. It gets the CVE / EPSS data back. No account was created; no API key was provisioned.

Discovery metadata lives at https://vulnfeed-api.novadyne.ai/.well-known/x402. Because payment is the authentication, there is nothing for a human to sign up for — which is the whole point for an agent operating without a person in the loop.

What you get back: CVE + EPSS, together

Every result pairs a CVE's severity (CVSS) with its EPSS score — the probability, updated daily by FIRST.org, that the vulnerability will be exploited in the wild. That pairing is what lets an agent prioritize rather than drown in a wall of "criticals." (For the difference, see EPSS vs CVSS.) VulnFeed reads from NVD, the GitHub Advisory Database, and EPSS — all free, public sources, with no data-broker markup. You pay for the call, not the data.

Pricing

AccessPriceNotes
CVE lookup (x402)$0.002 / callUSDC on Base, no account
Dependency scan (x402)$0.01 / callUSDC on Base, no account
Project monitor (x402)$0.05 / callUSDC on Base, no account
Free tier$010 scans/day, no signup
Unlimited (humans)$14 / mo flatPolar.sh license key

Install the MCP server (local, free tier)

The same tools are available as a local MCP server over stdio — no signup, no key:

{
  "mcpServers": {
    "vulnfeed": { "command": "uvx", "args": ["vulnfeed-mcp"] }
  }
}

It exposes nine tools, including check_package, lookup_cve, scan_lockfile, and monitor_project. Package: vulnfeed-mcp on PyPI. Registry card: io.github.novadyne-hq/vulnfeed in the official MCP registry.

When to use which

VulnFeed is built by Novadyne. Data: NVD, GitHub Advisory Database, EPSS — all free, public sources.