Read-only by design.
A free or deep scan never runs an exploit — it probes, observes and reports. We don't store the contents of your app. Active attack-simulation probes run only with your explicit consent and only against domains you own. Found something in someone else's app? We follow responsible disclosure.
Our posture
Found a vulnerability? Tell us.
Email us at security@bleek.dev with a description of the issue, steps to reproduce, and (ideally) the impact. We respond within 2 business days.
Please do not run automated exploitation, do not test on user data you don't own, and don't post details publicly before we've confirmed the fix.
We don't run a paid bug bounty yet, but we credit every reporter in our changelog with their permission.
Machine-readable contact at /.well-known/security.txt per RFC 9116.