Security

How CyberScore handles your data, and what we never do

We sell a security product. The bar for our own posture has to be higher than the average SaaS, not lower. This page documents exactly what runs during a scan and how we handle anything we collect.

Live independent audits
A
securityheaders.com
Live headers audit
A+
Mozilla Observatory
Live security audit

These badges link to live scan reports. Re-run them anytime — we display whatever grade the auditor returns.

Threat model in one paragraph

CyberScore performs passive external reconnaissance on a domain you provide. Every data source we query is publicly available without authentication; nothing about the target's internal systems ever crosses our network. Our threat model assumes that an attacker would query the same sources — our value is aggregation, prioritisation and a written brief, not privileged access.

What runs during a scan

Subdomain enum
10,000-word SecLists wordlist + Certificate Transparency (crt.sh)
Async DNS queries, capped at 200 concurrent. We never brute-force authentication.
Cloud bucket sweep
73 cloud providers (AWS S3, GCS, Azure, Alibaba, OVH, Hetzner, …)
Plain HEAD requests against well-known URL patterns. We do not list or download bucket contents.
Wayback Machine archives
web.archive.org/cdx/search — public archived URLs
One CDX query per scan. We flag sensitive paths (/.env, /admin, /backup) but never refetch the cached content.
Public GitHub leak hunting
GitHub Code Search across public repos mentioning your domain
13 dorks × 22 TruffleHog-style regexes. Authenticated via a GitHub PAT; rate-limit aware. No private-repo access ever.
Favicon fingerprint
MurmurHash3 of /favicon.ico → tech detection + origin-IP discovery
Single GET on /favicon.ico, then optional lookup against Shodan InternetDB (free public API).
Email security
SPF, DKIM (45 selectors), DMARC, MX, DNSSEC
Public DNS queries only. We never connect to your mail server.
TLS/SSL audit
Certificate validity, supported protocols, weak ciphers
TLS handshakes, no payloads.
Threat intelligence
AbuseIPDB, AlienVault OTX, VirusTotal, Google Safe Browsing, DNSBL, crt.sh
Public APIs only. Lookups by domain or by IP. No data leaves the scan beyond what is sent to those public services.
API security
Swagger / OpenAPI live spec parsing, GraphQL introspection detection, BOLA on object-level endpoints, reflective CORS check
Read-only GETs only. We parse a Swagger spec if it is publicly served, send a single GraphQL introspection query, and probe object endpoints (e.g. /api/users/1) without any Authorization header. No POST mutation, no payload exploit.
Web-app vulnerabilities
SQL injection, XSS (reflected), CSRF token absence, command injection, path traversal, CORS misconfiguration, insecure cookies
Crawl up to 60 URLs at depth 3 then probe each parameter with safe test inputs. CORS check sends one Origin: evil.example header. Cookie audit is purely passive header inspection.
Login & auth surface
Login page presence on 16 common paths, MFA visibility, CAPTCHA gating, password-reset workflow, default-credentials hints
GET only. We parse the form HTML to detect a password input, MFA fields, CAPTCHA markup. We never submit the form. We never attempt fake credentials.
Cloud IAM audit
ACL audit on every public S3 / GCS / Azure Blob bucket discovered by the Shadow IT pass
Plain HTTP GETs on bucket listing endpoints (e.g. ?list-type=2). Detects anonymous listing, public-read, missing Block-Public-Access. We never PUT, DELETE, or modify any bucket content.
Tech fingerprint
190 signatures matched against HTML, JS, headers — captures EXACT version on jQuery, Bootstrap, Lodash, Moment, AngularJS, nginx, Apache, WordPress, PHP, etc.
Pattern matching on the response of the homepage fetch we already do for other modules. No additional HTTP request.
JS dependency CVEs
Detected JS library versions matched against a curated local CVE database (jQuery, Bootstrap, Lodash, Moment, axios, AngularJS, etc.)
Pure semver comparison on the fingerprint output. Zero network call. The CVE DB is snapshotted from the public NVD + GitHub Advisory Database and refreshed quarterly.

Commitments

Read-only by design

We never send exploit payloads, brute-force passwords, or interact with non-public endpoints. The only trace your WAF sees is the user agent CyberScoreBot/1.0.

Domain-based, not credential-based

You give us a domain name. We never request AWS keys, SSO access, GitHub OAuth on private repos, or any other authenticated integration. CyberScore stays domain-in / score-out.

Data minimisation

Paid-plan scan results are kept for the lifetime of the active subscription or one-time entitlement. After cancellation or expiry, raw scan data is purged within 30 days. The "Sample preview" tier produces a demo report on a fixed target and is not tied to a real customer scan.

No advertiser sharing

We do not sell or share scan data with advertisers, data brokers, or any third party outside of the public APIs we query during the scan itself.

EU hosting

CyberScore runs on a single dedicated VPS in France. Postgres, Redis, scan storage, and the FastAPI backend all live there.

Encryption everywhere

TLS 1.2+ for every connection, bcrypt for password hashes, JWT auth with rotation, CSRF tokens HMAC-bound to the user, scan storage isolated to a dedicated VPS volume. Full disk encryption at rest is on the roadmap.

Reporting a vulnerability

Found something we got wrong? Email patrick@cybersco.re. We aim to acknowledge inside 24 h and triage inside 72 h. We do not yet have a formal bug-bounty program; pre-launch, recognition is the only reward we can offer, but we will list every reporter we hear from on this page when the program opens.

What stays out of scope

Honest disclosure of where CyberScore stops, so you know what it does NOT replace:

  • Active exploitation. We never send real SQLi / XSS / RCE payloads that could trigger side effects on your servers. Vulnerability classes are surfaced via safe detection inputs, not confirmed by exploitation.
  • Business logic flaws. Race conditions, IDOR on workflow-specific endpoints, broken price-calculation paths — these need a human pentester who understands your domain.
  • Internal network recon. We scan the public attack surface from the outside. We don't pivot, we don't deploy agents on your servers, we don't access anything behind your VPN.
  • Social engineering. Phishing simulations, prétexting, OSINT-driven human reconnaissance — not in scope and never will be.
  • Source code review. SAST belongs in your CI. We scan the deployed surface, not the code that produced it.

These are deliberate boundaries. CyberScore is the continuous layer between two pentests— not a replacement for the deep, human-led pentest that catches the items above.

Coming next

  • SOC 2 Type I — under evaluation, no firm date yet
  • Public DPA available on request, signable in 1 click
  • Public scanning IP range (so your WAF can allowlist us)
  • Open-source CLI mirror of the passive scanners

Last updated June 21, 2026.