June 2026 Held
Passive surface read

remoteok.com

D

We read remoteok.com from the outside only. Several things stood out and they add up. We hold the specifics until the team has had a chance to work through them.

7
items held
9
passive checks
Jun 2026
read on

What we read from the outside

Only what any visitor can load. No login, no probing, no payloads.

  • Response headers (HSTS, CSP, frame and content-type policies)
  • Public JavaScript bundles for hardcoded keys or secret endpoints
  • Common config paths (.env, .git, backups, source maps)
  • DNS records and email auth (SPF, DMARC)
  • TLS version and certificate
  • Open directory listings and verbose error pages

What we found

Details withheld

Several things worth fixing on the public surface. Details held.

We are keeping the specifics off this page at the owner's request. The grade reflects what we saw from the outside. The owner can ask us to publish the full read or remove this entry at any time.

How we handled it

  1. Jun 30, 2026
    Read passively from the outside. We hold the specifics until the owner has had a chance to fix them.
How we graded this

The grade is a read of what is exposed to anyone, not a full audit. A means nothing sensitive was in the open. F means something sensitive was reachable with no login. We never test beyond what a browser loads on its own, and we disclose privately before anything goes public.

What to take away

  • A cluster of gaps that add up.
  • All of it visible from the outside, none of it exotic.
  • We hold the specifics until they can be fixed.

Find your unnoticed bug before someone else does.

buggy.run signs in, captures your real traffic, and hunts the quiet flaws that scanners miss. You get every finding in plain English with the fix.