Scanner safety
How the scanner keeps your app safe
The free scan reads only what a browser already downloads and checks your database access from the outside. Here is exactly what it does, and what it will never do.
Read-only checks
The scan reads only what a browser already downloads from your app. It never logs in on the public path.
No destructive probes
The public scan never writes, never changes data, and never runs a write test. Write checks only ever run in the deeper check you explicitly authorize.
Redacted findings
Any sample evidence is redacted before you see it. We do not store or display your users' data.
Rate limited
Scans are limited per visitor and per target, so the scanner is never used to hammer an app.
SSRF guarded
Every URL is validated and resolved, and private, internal, and metadata addresses are blocked.
No public disclosure
Findings are private to you. We never publish them or share them without your say-so.
Found something and not sure it is safe to share? Responsible disclosure is welcome at security@task-bounty.com.
What the scanner does not check
- It does not log in or test access control on the public path. Proving who can read whose data is the deeper authenticated check you explicitly authorize.
- It does not run write, update, or destructive probes against your app on the public path.
- It only checks the public URL you submit. It never scans private, internal, or metadata addresses.
- It is not a full penetration test, and a clean scan is a good sign, not a guarantee your app is secure.