Scanner — securityscanner.dev

Source IP and User-Agent

Source IP: 44.195.165.192 (AWS us-east-1, single fixed Elastic IP)
Reverse DNS: ec2-44-195-165-192.compute-1.amazonaws.com
User-Agent: SecurityScannerBot/1.0 (+https://securityscanner.dev/scanner)
Operator: Stefan Lederer, Vienna, Austria
Contact: [email protected] / [email protected]

Rate budget per host

Hard caps enforced before any probe fires:

Per 5 min sliding window: 100 requests
Per 24h sliding window: 500 requests

If a scan would exceed the cap, the remaining probes are dropped and the run is finalised with whatever modules completed cleanly. We never overrun.

What the scanner does (and does not do)

The scanner is an external HTTP probe with about 16 modules. It only inspects publicly-reachable surfaces:

HTTP security headers, TLS certificate health, CORS, CSP
OpenAPI / Swagger / GraphQL endpoint discovery
Common admin paths and unauthenticated API endpoints
Webhook signature verification (Stripe, Paddle, LemonSqueezy)
Supabase row-level-security configuration check (anon-key reads)
JS bundle inspection for hardcoded credentials
Login rate-limit testing (a small burst against published login URLs)
Single low-token prompt-injection probe against LLM-shaped endpoints

It does not authenticate, does not exploit, does not exfiltrate, does not pivot, does not persist, does not modify state, and does not run any module that costs the target money.

Disclosure pipeline

When we find HIGH or CRITICAL findings, we try to email the app owner before publishing anything. The methodology and the disclosure-coverage problem (53% of vulnerable apps have no contact path) is documented at /blog/1630-vulnerable-apps-855-no-contact-path.

Data retention

One-shot scans on our service: results retained 90 days, then auto-purged
Customer-paid scans: retained for the lifetime of the customer's account
Inbox / disclosure correspondence: retained 24 months for accountability
Hosts that opt out (any of the routes below) have all findings deleted within 24 hours

How to opt out

Three routes, any one of them works. All purge existing findings and prevent future scans within 24 hours.

Email [email protected] with the host or domain you want excluded.
Reply "stop" (any case) to a disclosure email we sent you.
Publish a non-empty file at /.well-known/scanner-optout on the host.
Or use the form below.

Opt out by hostname

Enter the host (with or without a scheme). We add it to the permanent exclusion list, delete any prior findings, and block future scans.

If you saw the scanner do something unexpected

Email [email protected] with as much detail as you can share (timestamp, source IP we hit you from, sample request log line). I respond within 24 hours.