VibeLeak>_Scan
    >_Short answer0%
    Back to blogARTICLE_READY
    Security7 min readMay 11, 2026

    Is VibeLeak safe to use? Report privacy, logs, and exports explained

    VibeLeak uses passive public-surface checks, blocks internal targets, keeps full reports private to signed-in owners, and limits public pages to redacted summaries.

    Trust answer

    Yes, VibeLeak is designed to be safe for normal public website scans

    The public scanner looks at the same public surface a browser, search crawler, or security-conscious visitor can reach without logging in. It does not ask for target credentials, does not enter private app areas, and does not turn your report into a public finding dump.

    The practical promise

    Full findings, remediation, evidence archives, and Markdown exports are private to the signed-in owner of the saved scan. Public links are redacted grade cards, not full reports.

    Scan scope

    VibeLeak checks public signals, not private accounts

    A normal scan makes passive HTTP(S) requests and inspects what comes back from public routes. That is enough to catch common launch problems without needing invasive access.

    Passive

    Public

    Checks HTTPS, redirects, headers, cookies, DNS, public files, and AI-facing metadata.

    Blocked

    Internal

    Localhost, private network ranges, cloud metadata hosts, and private-address redirects are blocked.

    No login

    0 creds

    The public scan does not require target usernames, passwords, sessions, or private API keys.

    Data stored

    Reports need enough context to re-open, recheck, and export

    VibeLeak stores structured scan records so signed-in users can come back to a result, download a report, watch a score, and prove progress over time.

    • Stored: URL/domain, timestamps, grade, findings, evidence summaries, account ownership, export/watch state, and operational metadata needed to run the product.
    • Not stored as target data: full page content, target cookies, target sessions, scanned-site user data, or private application areas behind login.
    • Public summary endpoints stay intentionally small: grade/count/link style data, not structured remediation bodies or Markdown report content.

    Report privacy

    A share link is not the same thing as the full report

    This distinction matters. VibeLeak can give you a shareable grade card without exposing the actual remediation queue to everyone who sees the URL.

    01

    Unsigned scan

    A no-account user can run the scan and see the grade plus a preview. Full remediation and exports require sign-in.

    02

    Signed-in owner

    The owner gets saved history, full findings, evidence, fixes, score watch, and Markdown export for owned scans.

    03

    Public viewer

    Someone with a /scan/[id] link sees a redacted, noindex grade card. They do not get the full findings or export.

    04

    Public snapshot

    /site/[domain] and /api/public/scan-summary are summary surfaces only. They are not full report APIs.

    Operations

    Logs exist to keep the scanner reliable, not to leak reports

    Every web product needs operational telemetry for failures, abuse prevention, delivery status, and support. VibeLeak keeps that separate from public report disclosure.

    • Operational events may include URL/domain, scan IDs, timing, status, account state, plan state, and export or email delivery status.
    • Generated Markdown report bodies are not exposed through public report pages or public summary endpoints.
    • Exports require sign-in and scan ownership, so a random visitor cannot download another user's full report.

    Launch access

    Free scanning stays free; full free reports are a limited-time launch window

    The free scanner is meant to stay useful: five public trust scans per day. During launch, signed-in free users also get detailed findings, fixes, and Markdown export so they can try the full workflow.

    What changes later

    When the launch window ends, free users should still be able to scan, but detailed findings, fixes, and Markdown exports may be blurred or upgrade-gated. The honest promise is free scanning, not permanent free full-report export access.

    Next action

    Run the scanner against your own site

    The article lands hardest when it turns into a fix list. Scan, close the gaps, and recheck.

    Start scan

    Continue reading

    More field notes

    Back to blogTop

    Security

    We Scanned the Moz Top 500. Even the Internet's Giants Are Missing the Basics.

    VibeLeak ran its full trust surface scan against the Moz Top 500 most popular websites. This historical corpus still shows how common basic web security gaps are.

    Open article

    Workflow

    How to read a VibeLeak scan result

    A VibeLeak scan returns a grade, a list of findings, and a percentile rank. Here is how to read each piece so you know what to fix first.

    Open article

    Launch Ops

    Why most security scans fail on first run

    WAF blocks, DNS delays, timeouts, and redirect loops are the most common reasons a scan returns a failed grade. Here is what is happening and how to fix it.

    Open article