hammering.ai← back to scanner

Security & responsible disclosure

hammering.ai is a security tool, so we hold ourselves to the bar we measure others against. This page explains how the service is built to be safe and how to report a problem if you find one.

Report a vulnerability

If you believe you've found a security issue in hammering.ai, email security@hammering.ai. Please include steps to reproduce and give us a reasonable window to respond before any public disclosure. We do not currently run a paid bounty, but we'll credit reporters who want it. Do not run destructive or high-volume tests against the service.

How the service protects itself

Stateless by design. There are no accounts, no cookies, and no database. Scan reports are encoded into a signed URL, not stored on our servers, so there is no store of customer data to breach.

Read-only, authorization-gated.Scans only fetch what an unauthenticated visitor's browser already downloads. The deeper database-exposure check reads real rows only after you prove you control the domain (DNS record, meta tag, or a .well-known file), and even then it reads table names and row counts only — never values — and never writes.

Hardened outbound requests.The scanner validates every resolved address and refuses to connect to private, loopback, or cloud-metadata IPs, so it can't be used to reach internal networks.

Security headers. The site sends a Content-Security- Policy, HSTS, and clickjacking, MIME-sniffing, and referrer protections — it passes its own scan.

Scope & honesty

A clean scan is a fast first pass, not a guarantee or a penetration test. It reports what we found from the outside; it can't see anything behind a login, business-logic flaws, or your infrastructure. Treat the score as a signal, not a certification.