Skip to content

Scanner safety

How the scanner keeps your app safe

The free scan reads only what a browser already downloads and checks your database access from the outside. Here is exactly what it does, and what it will never do.

Read-only checks

The scan reads only what a browser already downloads from your app. It never logs in on the public path.

No destructive probes

The public scan never writes, never changes data, and never runs a write test. Write checks only ever run in the deeper check you explicitly authorize.

Redacted findings

Any sample evidence is redacted before you see it. We do not store or display your users' data.

Rate limited

Scans are limited per visitor and per target, so the scanner is never used to hammer an app.

SSRF guarded

Every URL is validated and resolved, and private, internal, and metadata addresses are blocked.

No public disclosure

Findings are private to you. We never publish them or share them without your say-so.

Found something and not sure it is safe to share? Responsible disclosure is welcome at security@task-bounty.com.

What the scanner does not check

  • It does not log in or test access control on the public path. Proving who can read whose data is the deeper authenticated check you explicitly authorize.
  • It does not run write, update, or destructive probes against your app on the public path.
  • It only checks the public URL you submit. It never scans private, internal, or metadata addresses.
  • It is not a full penetration test, and a clean scan is a good sign, not a guarantee your app is secure.