Security

How CyberScore handles your data, and what we never do.

We sell a security product. The bar for our own posture has to be higher than the average SaaS, not lower. This page documents exactly what runs during a scan and how we handle anything we collect.

Threat model in one paragraph

CyberScore performs passive external reconnaissance on a domain you provide. Every data source we query is publicly available without authentication; nothing about the target's internal systems ever crosses our network. Our threat model assumes that an attacker would query the same sources — our value is aggregation, prioritisation and a written brief, not privileged access.

What runs during a scan

Subdomain enum

10,000-word SecLists wordlist + Certificate Transparency (crt.sh)

Async DNS queries, capped at 200 concurrent. We never brute-force authentication.

Cloud bucket sweep

73 cloud providers (AWS S3, GCS, Azure, Alibaba, OVH, Hetzner, …)

Plain HEAD requests against well-known URL patterns. We do not list or download bucket contents.

Wayback Machine archives

web.archive.org/cdx/search — public archived URLs

One CDX query per scan. We flag sensitive paths (/.env, /admin, /backup) but never refetch the cached content.

Public GitHub leak hunting

GitHub Code Search across public repos mentioning your domain

13 dorks × 22 TruffleHog-style regexes. Authenticated via a GitHub PAT; rate-limit aware. No private-repo access ever.

Favicon fingerprint

MurmurHash3 of /favicon.ico → tech detection + origin-IP discovery

Single GET on /favicon.ico, then optional lookup against Shodan InternetDB (free public API).

Email security

SPF, DKIM (45 selectors), DMARC, MX, DNSSEC

Public DNS queries only. We never connect to your mail server.

TLS/SSL audit

Certificate validity, supported protocols, weak ciphers

TLS handshakes, no payloads.

Threat intelligence

AbuseIPDB, AlienVault OTX, VirusTotal, Google Safe Browsing, DNSBL, crt.sh

Public APIs only. Lookups by domain or by IP. No data leaves the scan beyond what is sent to those public services.

Commitments

Read-only by design

We never send exploit payloads, brute-force passwords, or interact with non-public endpoints. The only trace your WAF sees is the user agent CyberScoreBot/1.0.

Domain-based, not credential-based

You give us a domain name. We never request AWS keys, SSO access, GitHub OAuth on private repos, or any other authenticated integration. CyberScore stays domain-in / score-out.

Data minimisation

Free Scan results are kept for 24 hours. Paid-plan results are kept for the lifetime of the active subscription. After cancellation we purge raw scan data within 30 days.

No advertiser sharing

We do not sell or share scan data with advertisers, data brokers, or any third party outside of the public APIs we query during the scan itself.

EU hosting

CyberScore runs on a single dedicated VPS in France. Postgres, Redis, scan storage, and the FastAPI backend all live there.

Encryption everywhere

TLS 1.2+ for every connection, bcrypt for password hashes, JWT auth with rotation, CSRF tokens HMAC-bound to the user, scan storage isolated to a dedicated VPS volume. Full disk encryption at rest is on the roadmap.

Reporting a vulnerability

Found something we got wrong? Email patrick@cybersco.re. We aim to acknowledge inside 24 h and triage inside 72 h. We do not yet have a formal bug-bounty program; pre-launch, recognition is the only reward we can offer, but we will list every reporter we hear from on this page when the program opens.

Coming next

SOC 2 Type I — under evaluation, no firm date yet
Public DPA available on request, signable in 1 click
Public scanning IP range (so your WAF can allowlist us)
Open-source CLI mirror of the passive scanners

Last updated May 7, 2026.