About
Why we built this.
Leakwarden exists because we got the email twice in two months.
A friendly security researcher pinged us about an exposed
.git/config on one of our own production hosts. Then
another one. Same class of issue, both times — public-facing
webserver, dotfile leaking, credentials harvestable by anyone
willing to curl.
Both researchers used a free-disclosure-plus-tip-jar model. It works, but it scales badly: there are far more leaky deployments than there are humans willing to send polite emails about them, and there are far more developers who'd happily pay $9 to be told before someone else finds it.
We have the infrastructure. We have the problem-domain familiarity. We have, embarrassingly, the lived experience of being on the receiving end. So we're building the friendly version of the scanner.
What we won't do
- ✕ Make payment a condition of telling you about a leak we found.
- ✕ Scan domains you don't own without a published bounty program inviting us.
- ✕ Email full credential values — even to the legitimate owner. Last-4 + length is enough.
- ✕ Rate-limit our way into looking like an attacker. ≤2 req/s/host, regulated TLDs blocked at the engine.
What we will do
- ✓ Run a real free tier — same surface checks, no feature-locked teaser.
- ✓ Honor
robots.txton premium scans. Free-tier hits a fixed pre-known path list and never crawls. - ✓ Auto-purge findings: 7 days for free scans, 90 days for paid, longer only on an active monitoring sub.
- ✓ Operate the disclosure pipeline behind a human review gate. No automated outreach. Ever.
Who's behind this
Leakwarden is a one-person side project run out of gorgan.dev. It runs on infrastructure that already powers half a dozen other small projects. The scanner is built on Nuclei and a handful of custom checks. No reinventing wheels.