// independent security research · responsible disclosure · prowlrbot
i found your leaked key.
here's what happens next.
you're on this page because a credential scanner I run surfaced a key tied to your infrastructure in a public source. this is the short version of what it means, what I need from you, and the 90-day timeline I follow. it's the same process every time. no pressure, no extortion.
coordinated disclosure only · ISO 29147 aligned · safe harbor
why you got this email.
a credential in your name leaked publicly.
I found it before it was weaponized. this is not hypothetical — keys in public repos are scraped continuously by automated tooling run by attackers.
I am not exploiting it. I am not selling it.
I am telling you so you can rotate it. the credential exists in a public source whether I contact you or not — reporting is the ethical path.
this is called coordinated disclosure.
it's how the bug bounty economy works. I follow a 90-day standard aligned with Google Project Zero, HackerOne policy, and ISO 29147.
the 90-day timeline.
- I email you with the raw finding, redacted where appropriate
- you reply acknowledging receipt
- I verify you are an authorized representative of the affected org
- no details are shared publicly at this stage
expected outcome: acknowledgment within 24h
- you rotate the exposed credential
- I re-validate the old key against the provider API
- if the key still works, I notify you immediately
- if rotated successfully, I log the patch time
expected outcome: credential invalidated within 48h
- we align on a public writeup date (or agree to keep it private)
- you optionally credit me or ProwlrBot in your security advisories
- I share the full technical writeup draft for your review
- no sensitive data is included in any public document
expected outcome: mutual agreement on disclosure terms
- status check: is the key rotated, is the source redacted
- if remediation is in progress, the 90-day window keeps running — no public anything yet
- if contact has gone cold, I send a polite follow-up and flag the deadline
- writeup draft gets prepared privately but stays unpublished
expected outcome: shared understanding of where we stand
- full public writeup published if still unresolved
- writeup includes proof-of-concept, impact analysis, timeline
- raw credentials are never published, ever
- the writeup is permanent — it becomes part of the public record
expected outcome: public accountability or closed case
the scanner that found your leak · built by kdairatchi · private beta, request a build below
hire me for more.
one leaked key means the attack surface hasn't been mapped. if you want a real look at what else is out there, pick a tier below. I'm a solo shop — pricing reflects that.
disclosure only
the default path
- incident writeup (PDF or markdown)
- rotation verification against the provider API
- 90-day safe harbor
- optional public credit
you got the email. rotate the key. done.
deeper audit
fixed fee, scope-based
- full github org scan (public + accessible private)
- historical git-blame trace on any hit
- third-party / supply chain review
- private writeup + remediation plan
- two rounds of follow-up
retainer
month-to-month, cancel anytime
- continuous monitoring of your orgs
- private keyhound instance scoped to you soon
- shared slack / signal channel
- monthly findings report
- priority response on new leaks
I also hunt on HackerOne as @anom5x. if you have a public program, ping me and I'll submit through it. want to shout out the disclosure when it ships? tag @_NOT4H4CK3R on X.
watchlist — free tier.
point me at one github org or repo. every sunday, you get an email if keyhound found anything new. $0, no card, no auto-renew. one repo per email — want more, upgrade to watch ($4/mo) or pro ($19/mo).
heads-up: submitting a target you don't own or run doesn't mean I'll send them anything. I'll email you the findings so you can forward, triage, or file a disclosure via this site. keyhound only reads the github code-search surface — same thing any attacker can do.
how I work.
no magic. three things make the difference — the scanner, the patterns, and your consent.
credential scanner
Custom tooling that surfaces exposed credentials across public code. Matches are validated against provider APIs before I contact anyone — no false-positive spam, no guessing.
deep recon
Beyond the initial find — git history traces, dependency graphs, third-party exposure, and supply-chain review. Most one-key leaks have siblings hiding nearby.
your consent
the single most important piece. nothing goes public, nothing gets chained, nothing gets shared outside our thread without your signoff. every timeline is tunable.
past disclosures.
anonymized. targets are bucketed by vertical to protect confidentiality. ttf = time-to-fix, measured from first contact to key invalidated.
| date | target | key type | status | ttf | tag |
|---|---|---|---|---|---|
| 2026-03-18 | fintech | aws_key | patched | 14h | [acked] |
| 2026-02-29 | saas_tool | stripe_live | patched | 6h | [bounty] |
| 2026-02-11 | health_app | anthropic_key | patched | 48h | [cve] |
| 2026-01-04 | media_co | github_pat | patched | 2h | [acked] |
| 2025-12-19 | devops_ci | github_token | patched | 1h | [bounty] |
| 2025-11-30 | edtech | openai_key | patched | 72h | [acked] |
| 2025-11-08 | crypto_ex | aws_secret | patched | 4h | [cve] |
| 2025-10-15 | ai_startup | anthropic_key | patched | 18h | [bounty] |
who I am.
I'm kdairatchi — an independent security researcher. I hunt leaked credentials, write clean disclosure reports, and work with teams directly to close the loop.
Most of my work is tracing leaked credentials in public places (GitHub search, bug-bounty scope, that kind of thing), then writing them up so you can reproduce, fix, and close the loop. I use whatever stack fits the job; the important part is the report, not the toolchain lecture.
I don't sell exploits. I don't sit on findings. I disclose, I document, and I ship fixes with you.
let's talk.
pick whichever channel fits. I read everything — responses go out within 24 hours, usually the same day.
disclosure: <24h · quote request: 1-2 days · retainer call: same week.
tip jar (optional).
if you can't pay for an audit but want to say thanks, these go straight to me. no corporate middle layer.