Scanning Policy

What is UNPWNED?

UNPWNED is a website security scanner that checks domains for publicly visible security vulnerabilities. Our scans only analyze information that is already accessible to anyone on the internet. We do not exploit vulnerabilities, extract private data, or modify anything on the target system.

How to Identify Our Scanner

Most UNPWNED scanner requests identify with the User-Agent string below. A small number of read-only checks, most notably cloaking detection on deep scans, intentionally use browser-like or crawler User-Agents (such as Googlebot) to test whether the site behaves differently for automated visitors. These checks remain read-only and non-destructive.

If you see this User-Agent in your server logs, it means an UNPWNED user initiated a security scan on your domain. All scan requests originate from our cloud infrastructure (Vercel serverless functions) and not from the end user's device.

Allowlisting UNPWNED on Your Firewall

Many sites run behind WAFs (Cloudflare, Vercel Firewall, Netlify Edge, AWS WAF) that challenge or rate-limit unfamiliar scanners. When this happens, parts of an UNPWNED scan may be silently blocked, producing an incomplete report and a misleading score. If you own the target site and want repeatable, complete scans, allowlist us.

Our scanner identifies itself by both the User-Agent above and a polite request cadence on managed-host targets (we automatically detect Cloudflare, Vercel, and Netlify and reduce concurrency to avoid triggering bot protection). The combination below is a unique enough signature for a WAF rule.

Cloudflare

Security → WAF → Custom rules → create a rule with action Skip when:

Vercel Firewall

Project → Firewall → Custom rules → Allow when User Agent contains UNPWNED-Scanner.

Netlify Edge

Site settings → Edge functions / Edge Rules → allow requests where the User-Agent header matches UNPWNED-Scanner.

AWS WAF / Other

Add a string-match rule on the User-Agent header containing UNPWNED-Scanner and set it to allow before any rate-limit rules.

We do not publish a static IP list. Our scanners run on Vercel's serverless infrastructure and IPs change frequently; the User-Agent is the stable identifier.

What Our Scans Do

A standard UNPWNED scan performs the following non-destructive checks against a domain:

• SSL/TLS certificate and cipher configuration analysis
• Security header inspection (CSP, HSTS, X-Frame-Options, etc.)
• DNS record analysis (SPF, DKIM, DMARC, DNSSEC)
• Checks for publicly exposed sensitive files (e.g. .env, .git/HEAD)
• API endpoint discovery and access control verification
• Cookie security analysis
• CORS policy testing
• JavaScript source analysis for exposed secrets or API keys
• Technology stack and framework detection
• Cloud storage bucket enumeration
• Rate limiting verification
• Privacy and compliance checks

Deep scans (available only for verified domain owners) additionally perform subdomain enumeration, HTTP method testing, cloaking detection, and other active techniques as described in our Terms of Service (Section 4).

What Our Scans Do NOT Do

• We never exploit discovered vulnerabilities
• We never write, modify, or delete data on the target system
• We never attempt to log in or bypass authentication
• We never extract, download, or store private data from the target
• We never perform denial-of-service or stress testing
• We never introduce new vulnerabilities or backdoors

Potential Impact on Your Systems

While our scans are non-destructive, they may have the following effects on the target system:

• Entries in your web server access logs from our User-Agent
• Security alerts from your WAF, IDS, or honeypot systems
• A minor, temporary increase in network bandwidth usage
• Automated blocking by your security infrastructure (which may block our User-Agent or IP)

These effects are comparable to what any search engine crawler or automated security assessment tool would produce when accessing publicly available resources.

User Authorization

Every UNPWNED user is required to confirm, before each scan, that they own the target domain or have explicit written authorization from the domain owner to conduct a security scan. This applies to dashboard scans, verified-domain deep scans, public no-account scans, partner/API scans, and any other scan initiation path. This consent is recorded as a legally binding electronic signature or authorization declaration and retained for legal defense as described in our Terms and Privacy Policy.

UNPWNED reserves the right to request proof of authorization at any time and will suspend or terminate accounts that cannot provide satisfactory evidence.

For full legal details, see our Terms of Service (Section 3).

Opt-Out for Domain Owners

If you are the owner of a domain and want to exclude it from any future UNPWNED scanning, we offer a self-serve opt-out flow that takes about two minutes and verifies ownership via a DNS TXT record:

Prefer email? You can still write to [email protected] with the domain name(s) you want excluded and proof of ownership. We will add the domain to the exclusion list manually after review.

Once verified, every UNPWNED scan path (dashboard, public check, partner API) will refuse to scan your domain or any of its subdomains. The requesting user is told the domain owner has opted out.

Abuse reports. If you believe your domain was scanned without proper authorization, please contact us at [email protected]. We take unauthorized scanning seriously and will investigate all reports. Where appropriate, we will provide the relevant consent audit records to the domain owner and may terminate the offending user's account.

Blocking Our Scanner

You can block UNPWNED scans at any time using standard web server or firewall configuration:

When our scanner receives a 403 response, the scan will note the blocked status and the user will be informed that the target domain is blocking security scans.

Contact

For questions about our scanning practices, opt-out requests, or abuse reports:

• Abuse / Opt-out: [email protected]
• General: [email protected]
• Security: [email protected]