Security
Scanning should not create a new risk.
Last reviewed 13 July 2026
Input boundaries
Local, private-network, cloud-metadata, non-web, and credential-bearing addresses are rejected. Redirect destinations are revalidated before use. These controls are designed to reduce server-side request forgery and accidental access to private resources.
Data minimization
Structured evidence is separated from contact and correction records. Secret-like URL values are masked where feasible, and users are instructed not to submit credentials or unnecessary personal information.
Access and audit
Administrative access is limited to operational need. Security-relevant activity and material correction actions may be retained for audit and abuse prevention.
Current scope
Reports may combine address analysis, deterministic rules, and available data sources. A report clearly marks unavailable coverage. LinkWitness does not ask a user's browser to log in to or transact with the submitted site.
Report a vulnerability
Email report@linkwitness.com with a concise impact statement, reproducible steps, and a safe proof of concept. Do not access data that is not yours, disrupt service, or include live secrets. We ask researchers to allow reasonable time for investigation before public disclosure.