Scanning Policy & Responsible Disclosure

LeakTrace operates an automated digital-exposure scanner that examines public-facing internet infrastructure for indicators of security risk. This page explains exactly what we do, what we do not do, and how to opt out if you do not want your domain scanned.

What our scanner does

For every domain we scan, we perform standard reconnaissance-tier checks against the public-facing surface of the domain — the same surface that any internet user, security researcher, or attacker can already see with no credentials. Specifically:

• DNS, MX, SPF, DKIM, and DMARC record lookups
• TLS / SSL certificate inspection
• HTTP response header analysis
• Public homepage and JavaScript file retrieval (the same content a browser receives)
• Pattern-matching of public JavaScript for hardcoded API key formats
• Probing of well-known administrative and configuration endpoints (e.g., /.env, /.git/config) to detect whether they are publicly accessible
• Public Certificate Transparency log lookups
• Public WHOIS data retrieval
• Lookups against publicly-disclosed credential-breach databases
• Public cloud-storage bucket existence checks against common naming patterns
• JavaScript library version fingerprinting against known-CVE databases

What our scanner does not do

We are a detection-only scanner. We do not exploit any vulnerability we discover. Specifically, we never:

• Use any discovered API key, credential, token, or password to make a follow-up request
• Modify, delete, or write any data on a scanned target
• Bypass any authentication mechanism
• Download the contents of any cloud storage bucket we detect
• Enumerate user accounts beyond a 3-account proof-of-leak
• Perform brute-force, password-guessing, or denial-of-service activity
• Access any resource that requires authentication

How to identify our scanner

All HTTP requests originating from our scanner use a polite User-Agent string identifying us:

LeakTrace-Scanner/1.0 (security audit; contact: [email protected])

How to opt out

If you do not wish your domain to be scanned by LeakTrace, email [email protected] from any address at the domain in question (or from any address with provable authority over the domain) and request removal. We will:

• Add the domain to our permanent do-not-scan list within 24 hours
• Confirm via email when the removal is complete
• Stop all future scanning of the domain and its subdomains

Coordinated disclosure — exposure found in a third party

Occasionally during a customer Scope audit, LeakTrace will discover an exposure that does not belong to the customer — for example, a publicly-exposed credential in a third-party vendor used by the customer, or a misconfiguration on a partner organization's domain. Our handling of these findings:

• The finding is reported confidentially to the LeakTrace customer who commissioned the scan, the same as any other finding in their report.
• LeakTrace will not directly contact the affected third party without the customer's permission, and will not publicly disclose the finding.
• Where the customer wishes to notify the third party, LeakTrace can provide a redacted technical description suitable for forwarding, on request.
• Where the exposure represents an active, ongoing risk to the public (for example, an actively-leaking public bucket holding consumer data of a non-customer), LeakTrace reserves the right, after a 30-day customer-notification window, to disclose responsibly to the affected third party under our standard [email protected] coordinated-disclosure process, regardless of the customer's preference. We will inform the customer in writing before doing so.
• We never disclose to law enforcement, regulators, journalists, or competitors of the affected third party without an explicit legal obligation to do so.

If you are a third-party organization who believes LeakTrace has information about an exposure affecting you, email [email protected]. We will respond within 72 hours and, where appropriate, share what we can without breaching customer confidentiality.

Reporting a vulnerability in LeakTrace

If you have discovered a security vulnerability in any LeakTrace property (getleaktrace.com or any subdomain or product surface), please report it to [email protected]. We commit to:

• Acknowledge your report within 72 hours
• Provide a status update within 7 days
• Resolve confirmed critical issues within 30 days
• Credit you publicly (if you wish) on the Acknowledgments section below

We do not currently operate a paid bug-bounty program. We deeply appreciate responsibly-disclosed reports.

Legal posture

Our scanning activity is reconnaissance-tier and is conducted in accordance with industry standards established by major commercial vulnerability scanners (Tenable, Qualys, Rapid7, and others). We rely on public, unauthenticated access to infrastructure that is, by definition, publicly served by the target. We do not exceed authorized access as defined under the U.S. Computer Fraud and Abuse Act, Canadian Criminal Code section 342.1, the U.K. Computer Misuse Act 1990, or analogous statutes in other jurisdictions.

If you are a domain owner with concerns about a specific scan, contact us. We can provide scan logs and answer any questions about our methodology.

Acknowledgments

We thank all security researchers who have responsibly disclosed issues to us. (No public acknowledgments at this time.)