Lictor AI shield

What we did this week. The good, the wrong, the silent.

Real numbers. Every retraction listed. Every silent fix counted.

If we screwed up, you’ll see it here before you see it anywhere else.

Live disclosure stats

Pulled from the GitHub API at the moment you loaded this page. loading…

findings filed publicly on GitHub (live count from the GitHub API)
addressed · maintainer replied or closed
7
silent fixes confirmed · maintainers who patched without replying. Proof the scan helped.
sent today · rolling 24h

Silent fixes are maintainers who fixed the bug without commenting back. Our recheck.py re-runs the original check every few hours and counts them automatically.

Verify yourself: github.com/search?author:Raffa-jarrl + "Security report". Same numbers, same source.

External attack-surface scanning, May 2026

The numbers above are GitHub-public disclosures. The blocks below are separate: direct-email disclosures from our external attack-surface scans, sent straight to the affected organisation's security contact or the cloud provider's abuse desk. Never to a GitHub issue, never to a public post. No victim names appear anywhere on this site.

Yes
We've audited AI apps and the open-source tools they're built on
8
confirmed vulnerabilities (with working PoCs) in named open-source AI projects like HuggingFace transformers and cognita, plus ~80 suspected findings under verification
~9
fast passive checks in the free scan (security headers, redirects, cookie flags, exposed files)
0
victim names published anywhere on this site

Week 1 (May 19 to 22): External attack-surface scan

Direct-email disclosures from a 5-day scan of AI apps and the open-source tools they're built on. Routed via Immunefi, HackerOne, CERT-IL, CERT-MX, JPCERT, BSI, and direct security@ contacts.

44
frontend source-code leaks (.js.map), HIGH tier after content-quality validation (initial scan flagged 292; 248 reclassified as framework boilerplate or stubs after anti-FP analysis)
33
spoofable enterprise email domains
11
publicly listable cloud buckets (regulated data inside)
14
end-of-life software stacks (HIGH severity)
4
RDP / FTP / SMB exposed to internet
26
new subdomain exposures (forgotten staging / unmonitored apps)

Week 2 (May 23 to 24): AI provider + cloud credential leak hunting

Six new high-fidelity scanner modules went live (patrol-aws-keys, patrol-ai-saas-keys, patrol-firebase, patrol-bot-tokens, patrol-gitlab, scan-buckets-massive). Each verified credential is fetched and regex-confirmed before disclosure. Reported in bulk to provider security teams that have the customer mapping we don't. They auto-revoke and notify affected accounts.

47
leaked AWS access keys (39 with paired secret = full-account-takeover material) → AWS Security
31
leaked OpenAI project-scoped API keys (sk-proj-*) → OpenAI Security (triage assigned to engineer within hours)
21
leaked HuggingFace user tokens (hf_*) → HuggingFace Security
6
leaked Anthropic API keys (sk-ant-api03-*) → Anthropic Security
105
Google Cloud / Firebase credentials (81 admin-SDK JSONs on GitHub + 24 configs on GitLab) → Google Security
15
Discord + Slack webhook URLs → Discord T&S + Slack Security
46
anonymous-listable cloud buckets across GCS (26), DigitalOcean Spaces (13), Wasabi (7). Names suggest financial, healthcare, KYC, credentials content → cloud provider abuse desks (we never list bucket contents)
19
verified subdomain takeover candidates (dangling DNS to unclaimed Vercel / Fastly / Heroku / Unbounce / CloudFront resources) → bounty-program security teams
2
publicly exposed phpinfo.php pages leaking PHP config (both running EOL PHP) → site owners directly

The anti-FP rigor that's actually the product

Scanners are easy to write. Scanners that don't burn researcher credibility on false positives are hard. We document every false-positive class we encounter as a permanent filter rule, so a finding only reaches you after it survives that filter.

16
documented FP classes with permanent filter rules (3 new this week: HEAD Content-Type trust, intentional public infrastructure endpoints, WAF block-pages that return HTTP 200)
818 → 0
admin-panels scanner: pre-fix raw findings vs. post-FP-fix output on the same 6-host test corpus. It caught 100% of false positives (the 6 hosts genuinely had no exposed admin panels)
62%
of generated courtesy-disclosure drafts caught by FP filters before being sent (vendor-attribution + self-hosted-library checks). Without this, ~50 misattributed disclosures would have shipped.

Why these aren't in the GitHub stats: external attack-surface + credential-leak findings go to the organisation's security@, the cloud provider's abuse desk, or via vendor disclosure programmes (Immunefi, HackerOne, CERT, INCD, BSI, AWS / OpenAI / Google / Anthropic / HuggingFace / Replicate / DigitalOcean / Wasabi security teams). They are never published on GitHub. The CVD clock starts the day we send. Full breakdown by category at /in-the-wild.

Live site traffic (last 7 days)

Pulled from Cloudflare Analytics every hour. No Google Analytics. No third-party trackers. The same numbers we see in our dashboard.

loading site traffic…

Operating principles

The non-negotiables. If any future Lictor commit violates one of these, treat it as a bug and file an issue.

1. Never publish exploit details publicly

Every disclosure goes through GitHub’s private channels first: a direct issue with no specifics, or a Private Security Advisory if the repo supports it. The exact file/line/redacted key is only sent privately after the maintainer replies asking for details.

2. Hard cap: 50 contacts per day

The autonomous cron is rate-limited at the source. Even if our queue had 10,000 candidates, no more than 50 maintainers hear from us in any 24-hour window. Protects against runaway-loop failure modes and respects maintainer fatigue.

3. Manual verification before submission

Every queued candidate is re-verified before a contact-request goes out. A regex match alone is not enough. We fetch the raw file, check context for placeholders, decode JWTs to confirm role, validate against WAF/SPA-fallback false positives.

4. Retract publicly when we’re wrong

If a finding turns out to be a false positive, we add an apology comment to the original issue, close it, and ship the scanner fix the same day. We did this 8 times on May 17. We’ll do it again. See the public retraction templates →

5. No telemetry, no analytics, no tracking

The Claude Code skill is 100% local, with no network calls. The URL scanner sends only the URL you paste (necessary). The site itself has zero analytics scripts. We can’t see who uses Lictor, and we don’t want to.

6. Apache 2.0 forever

The license on the skill-suite repo is irrevocable. Even if Lictor gets acquired tomorrow, every commit through that moment stays free for anyone to fork. The license file is in /LICENSE.

Two pages that hold us accountable

Live receipts you can audit any time.

What we deliberately don’t do

Just as important as what we do.

  • We don’t scan internal/private repos. Every disclosure target is from public GitHub / GitLab / PyPI / npm / HuggingFace. Your private code is invisible to us.
  • We don’t resell findings. No Lictor “intelligence feed”, no bug-bounty arbitrage, no selling lists to security vendors. Findings go to the maintainer + nobody else.
  • We don’t do active exploitation: never authenticate, never write data, never trigger a vulnerability beyond reading what an unauthenticated request returns.
  • We don’t name & shame. No public blog posts of the form “Look at this idiot startup with their leaked keys.” The exposures we find are anonymised here by category, not name (except where the maintainer publicly responded).
  • We don’t accept paid disclosure embargoes. Companies sometimes offer to pay for an extended embargo. We don’t engage. Standard 30-day window applies to everyone equally.
  • We don’t use bots to artificially boost stars / followers. Every star on github.com/Raffa-jarrl/Lictor-AI is a real human. If the count ever looks suspiciously high, blame organic discovery, not us.

The skill suite is open source. Read it yourself.

Everything the audit can flag on your code is publicly auditable. The internet-scale scanners run as a hosted service; the evidence rules they follow are documented on this site.

📜 The 4 skills

lictor-security-check / fix-it / explain / rotate, installable as one Claude Code plugin. Each is a markdown file you can read in 5 minutes.

Browse →

✅ The 48 checks

Every check module the audit runs, each with a “what NOT to flag” guard, readable before you trust it.

Browse →

🧪 The evidence rules

The false-positive classes every Lictor scanner filters, learned from real disclosures and triager responses.

Read →

Spot something we’re doing wrong?

Open an issue, send us a DM, or just email. The door is open.

🗣 Voice / accuracy bug

If a finding sounded jargony or was a false positive: file an issue.

📧 Direct

For sensitive concerns: Raffa@Lictor-AI.com. Read within 24h, response within 48h.

🔒 Security in Lictor itself

For vulns in Lictor’s own code: use our PVR channel. Same standard we hold others to.