Read-only by design.

A free or deep scan never runs an exploit — it probes, observes and reports. We don't store the contents of your app. Active attack-simulation probes run only with your explicit consent and only against domains you own. Found something in someone else's app? We follow responsible disclosure.

Our posture

Strict transport security

HSTS with includeSubDomains + preload (max-age 2 years). Browsers refuse plain HTTP on any bleek.dev subdomain.

Content Security Policy

Tight CSP on every page — no wildcard script sources. Working toward nonce-based scripts to drop `unsafe-inline`.

No source maps in production

Production builds ship without `.map` files so our source isn't browsable.

Read-only scanner

We probe and observe. We never run exploits. We never write to your app.

Session-replay input masking

PostHog session replay runs with maskAllInputs:true. We never record what visitors type.

Email auth (SPF · DKIM · DMARC)

DMARC at p=quarantine on our root domain. Outbound mail signed with DKIM. Stops impersonation in transit.

Found a vulnerability? Tell us.

Email us at security@bleek.dev with a description of the issue, steps to reproduce, and (ideally) the impact. We respond within 2 business days.

Please do not run automated exploitation, do not test on user data you don't own, and don't post details publicly before we've confirmed the fix.

We don't run a paid bug bounty yet, but we credit every reporter in our changelog with their permission.

Machine-readable contact at /.well-known/security.txt per RFC 9116.