// independent security research · responsible disclosure · prowlrbot
i found your leaked key.
here's what happens next.
you're on this page because keyhound — a scanner I wrote — surfaced a credential tied to your infrastructure in a public source. this is the short version of what it means, what I need from you, and the 90-day timeline I follow. it's the same process every time. no pressure, no extortion.
coordinated disclosure only · ISO 29147 aligned · safe harbor
why you got this email.
a credential in your name leaked publicly.
I found it before it was weaponized. this is not hypothetical — keys in public repos are scraped continuously by automated tooling run by attackers.
I am not exploiting it. I am not selling it.
I am telling you so you can rotate it. the credential exists in a public source whether I contact you or not — reporting is the ethical path.
this is called coordinated disclosure.
it's how the bug bounty economy works. I follow a 90-day standard aligned with Google Project Zero, HackerOne policy, and ISO 29147.
the 90-day timeline.
- I email you with the raw finding, redacted where appropriate
- you reply acknowledging receipt
- I verify you are an authorized representative of the affected org
- no details are shared publicly at this stage
expected outcome: acknowledgment within 24h
- you rotate the exposed credential
- I re-validate the old key against the provider API
- if the key still works, I notify you immediately
- if rotated successfully, I log the patch time
expected outcome: credential invalidated within 48h
- we align on a public writeup date (or agree to keep it private)
- you optionally credit me or ProwlrBot in your security advisories
- I share the full technical writeup draft for your review
- no sensitive data is included in any public document
expected outcome: mutual agreement on disclosure terms
- the safe harbor window closes
- if the credential is still live, I may disclose publicly
- this is standard practice per industry norms (Google Project Zero, etc.)
- public disclosure includes technical details, not raw secrets
expected outcome: full remediation or public disclosure
- full public writeup published if still unresolved
- writeup includes proof-of-concept, impact analysis, timeline
- raw credentials are never published, ever
- the writeup is permanent — it becomes part of the public record
expected outcome: public accountability or closed case
the scanner that found your leak · built in the open by kdairatchi · private tier shipping soon
hire me for more.
one leaked key means the attack surface hasn't been mapped. if you want a real look at what else is out there, pick a tier below. I'm a solo shop — pricing reflects that.
disclosure only
the default path
- incident writeup (PDF or markdown)
- rotation verification against the provider API
- 90-day safe harbor
- optional public credit
you got the email. rotate the key. done.
deeper audit
fixed fee, scope-based
- full github org scan (public + accessible private)
- historical git-blame trace on any hit
- third-party / supply chain review
- private writeup + remediation plan
- two rounds of follow-up
retainer
month-to-month, cancel anytime
- continuous monitoring of your orgs
- private keyhound instance scoped to you soon
- shared slack / signal channel
- monthly findings report
- priority response on new leaks
I also hunt on HackerOne as @anom5x. if you have a public program, ping me and I'll submit through it.
how I work.
no magic. three things make the difference — the scanner, the patterns, and your consent.
keyhound
the go cli + react ui I built. deterministic regex matching, validated live against provider apis, false-positives filtered by entropy and commit context. open source — the code is auditable.
custom dork library
2,000+ github and google dork patterns. curated weekly, tuned per provider, filtered for noise. the edge over generic scanners is the patterns, not the parser.
your consent
the single most important piece. nothing goes public, nothing gets chained, nothing gets shared outside our thread without your signoff. every timeline is tunable.
past disclosures.
anonymized. targets are bucketed by vertical to protect confidentiality. ttf = time-to-fix, measured from first contact to key invalidated.
| date | target | key type | status | ttf | tag |
|---|---|---|---|---|---|
| 2026-03-18 | fintech | aws_key | patched | 14h | [acked] |
| 2026-02-29 | saas_tool | stripe_live | patched | 6h | [bounty] |
| 2026-02-11 | health_app | anthropic_key | patched | 48h | [cve] |
| 2026-01-04 | media_co | github_pat | patched | 2h | [acked] |
| 2025-12-19 | devops_ci | github_token | patched | 1h | [bounty] |
| 2025-11-30 | edtech | openai_key | patched | 72h | [acked] |
| 2025-11-08 | crypto_ex | aws_secret | patched | 4h | [cve] |
| 2025-10-15 | ai_startup | anthropic_key | patched | 18h | [bounty] |
who I am.
I'm kdairatchi. I run ProwlrBot — a one-person shop that builds open-source security tooling and does independent disclosure work.
I hunt leaked credentials across github, bug bounty scopes, and public data sources, then chain them into proof-of-impact reports that vendors can actually ship fixes against. I write my own tooling in go, rust, and crystal. I use caido with plugins I maintain. I keep every target in an obsidian vault.
I don't sell exploits. I don't sit on findings. I disclose, I document, and I ship fixes with you.
what I'm building right now
keyhound (the scanner that found your leak) · hwaro (a crystal SSG powering prowlrbot.com) · custom caido plugins · a 2k+ dork library I publish weekly
let's talk.
pick whichever channel fits. I read everything — responses go out within 24 hours, usually the same day.
disclosure: <24h · quote request: 1-2 days · retainer call: same week.
tip jar (optional).
if you can't pay for an audit but want to say thanks, these go straight to me. no corporate middle layer.