BrokenApp

Security

We find bugs. We don't have them.

BrokenApp is a security tool. We hold ourselves to the same standard we apply to every app we scan. Here's how we protect your data and our systems.

Our practices

Security by design.

Local-first architecture

The CLI runs on your machine. Scan data never leaves your environment unless you explicitly send it somewhere. No cloud middleman.

Secrets always masked

When we detect API keys or credentials, we mask them in all output. Only partial values shown for verification. Never stored in full.

No data collection

BrokenApp does not phone home, collect telemetry, or transmit scan results. The free tier works fully offline. Your reports are yours.

Minimal permissions

The CLI requires only network access to the target URL. No file system access beyond the output directory. No background processes.

Data handling

What we store. What we don't.

Scan results are written to your local filesystem as JSON files. They contain URLs, response codes, detected findings, and evidence. They never leave your machine unless you use an integration (GitHub, export, etc.) to send them somewhere you control.

Account data (email, name) is stored only if you create an account for Pro/Team features. We use it for licensing and support. We don't sell it. We don't share it. We don't use it for marketing beyond transactional emails.

Detected secrets (API keys, tokens, credentials) are always masked before being written to any output file. We store a hash for fingerprinting, never the full value.

Infrastructure

How we protect our systems.

Encryption

TLS 1.3 in transit. AES-256 at rest for any stored data.

Authentication

API keys with automatic rotation. Session tokens with short TTLs.

Access control

Principle of least privilege. Role-based access. Audit logging on all admin actions.

Dependencies

Automated dependency scanning. Lock files pinned. No eval, no dynamic requires.

Testing

We run BrokenApp on BrokenApp. Every release is scanned before shipping.

Incident response

Documented IR plan. 24-hour acknowledgment SLA. Post-mortems published.

Responsible disclosure

Found something? Tell us.

We take security reports seriously. If you've found a vulnerability in BrokenApp's CLI, website, API, or infrastructure, we want to know.

Disclosure policy

  • Email security@brokenapp.io with a description of the vulnerability and reproduction steps
  • We will acknowledge your report within 24 hours
  • We will provide an initial assessment within 72 hours
  • We ask for 90 days before public disclosure to allow us to fix the issue
  • We will credit you in our security advisories (unless you prefer anonymity)
  • We do not pursue legal action against researchers acting in good faith

Security reports

security@brokenapp.io

PGP key

Fingerprint available on request

Security is what we do.

We scan other people's apps for a living. We hold ours to an even higher standard.

Privacy policyContact us