LinkWitness

Security

Scanning should not create a new risk.

Last reviewed 13 July 2026

Input boundaries

Local, private-network, cloud-metadata, non-web, and credential-bearing addresses are rejected. Redirect destinations are revalidated before use. These controls are designed to reduce server-side request forgery and accidental access to private resources.

Data minimization

Structured evidence is separated from contact and correction records. Secret-like URL values are masked where feasible, and users are instructed not to submit credentials or unnecessary personal information.

Access and audit

Administrative access is limited to operational need. Security-relevant activity and material correction actions may be retained for audit and abuse prevention.

Current scope

Reports may combine address analysis, deterministic rules, and available data sources. A report clearly marks unavailable coverage. LinkWitness does not ask a user's browser to log in to or transact with the submitted site.

Report a vulnerability

Email report@linkwitness.com with a concise impact statement, reproducible steps, and a safe proof of concept. Do not access data that is not yours, disrupt service, or include live secrets. We ask researchers to allow reasonable time for investigation before public disclosure.