Disclosure recipient

Did you get an email from us?

If you received an unsolicited email from Leakwarden about a security finding on your domain, this page exists to verify it's real, explain what we do, and tell you exactly how to opt out. Take a minute. We'll wait.

Verifying the email is genuine

Real Leakwarden disclosure emails always have all of these properties:

  • Sender: [email protected]. The display name will say "Leakwarden".
  • Every link points to leakwarden.com (no link shorteners, no third-party domains).
  • Includes the literal sentence: "There is no charge, no upsell, no requirement to do anything."
  • Includes an opt-out: reply with STOP and we permanently add the apex domain to a do-not-contact list.
  • No attachments. No threats to publish. No payment request.

If what you received doesn't match every line above, it isn't from us. Forward it to [email protected] and we'll investigate.

What is Leakwarden?

Leakwarden is a small public-web security scanning service. We watch certificate-transparency logs for newly issued TLS certificates and run a free surface scan against the resulting hosts to spot common accidentally-exposed assets — things like .git/config files, .env files committed to webroots, and hardcoded credentials in JavaScript bundles. When we find something on a domain that didn't ask us to scan it, an operator may send a one-time notification to a standard administrative address.

Why did you contact me?

Because a domain you appear to control was found to be exposing something that is typically not meant to be public. The email contains the specific finding (severity, path, summary) and a link to the full report.

We send these because exposed assets in these categories tend to lead to incidents downstream — credentials get harvested, private repositories get cloned, customer data gets exfiltrated. The window between "publicly exposed" and "actively exploited" can be hours, not days. We'd rather you find out from us than from someone with less friendly intentions.

Is this free? Are you about to ask for money?

Yes, it's free. No, we are not going to ask for money for the finding or to make it "go away". We never make payment a condition of a disclosure — that pattern is extortion under most penal codes and we don't do it.

We do operate a paid product (a scanner you can run on your own domains, with continuous monitoring and diff alerting). That's on the pricing page for anyone who wants ongoing coverage. But it's an entirely separate offering — if you ignore the disclosure email forever, nothing bad happens on our end.

Will you publish or share this finding with anyone else?

No third-party sharing. We do not sell findings to data brokers, give them to vulnerability databases, or use them for marketing. We commit to not publicly disclosing any finding for at least 30 days from the date of the first notification, regardless of whether you respond. In practice we don't publish individual findings at all — only aggregate statistics that don't identify any specific target.

How did you find this without permission?

Certificate transparency logs are public by design. When you obtain a TLS certificate from a public CA — Let's Encrypt, DigiCert, Google Trust Services, etc. — the cert (including the domain name) is logged to multiple public CT logs that anyone can subscribe to. We subscribe to those logs, and run scans against the resulting hostnames.

Our scans send HTTP GET requests at no more than 2 requests per second per host — the same load as a curious developer with a browser. Surface scans check a fixed pre-known path list (no crawling, no aggressive recursion). Sending HTTP GETs to public URLs is not unauthorized access under US federal law (CFAA), and we throttle conservatively to stay clearly within that line.

What should I do now?

  1. Fix the issue if it's still exposed — that's the whole point of the email. Pull the file or directory off the public webroot, or block it at the webserver / CDN level.
  2. Rotate any exposed secrets. If the finding was a committed API token, deleting the file isn't enough — rotate the credential on the upstream service (GitHub, Stripe, AWS, etc.) since it may have already been harvested by other CT-log scrapers in the time it was exposed.
  3. Tell us if we got it wrong. If the file in question is intentionally public, or what we flagged isn't actually a secret, a one-line reply helps us improve the rules. We won't argue.
  4. Consider ongoing monitoring. If you'd like us to catch the next one before someone else does, our paid scanner is at /pricing. Completely optional.

How do I opt out of future emails?

Reply to the original email with the word STOP. We add the apex domain to a permanent do-not-contact list and you will never receive another disclosure from us about that domain.

You can also opt out pre-emptively (before we've ever sent anything) by emailing the apex domain to [email protected].

Who runs Leakwarden?

A one-person operation run from gorgan.dev alongside a handful of other small projects. The infrastructure, scanning rules, and disclosure decisions are all single-operator. There's no investor pressure to monetize disclosures, no sales team incentivized to convert outreach to deals, no offshore call center. This is deliberately a small, transparent, slow-moving project.

More on the operator and the project's history is on the About page. The conduct rules we hold ourselves to are in the Acceptable Use Policy §4. How we handle your data is in the Privacy Policy §7.

Still suspicious? Contact a human.

Email [email protected] — it's the same address the disclosure came from, monitored by the same person. Or report it as abuse at [email protected] if you believe the email you received was not legitimate. Either way you'll hear back within one business day.