Responsible Disclosure & Data Transparency

We derive findings exclusively from already-public sources:

• • Internet-wide scan catalogues (e.g. Shodan, Censys) — banner data those services already collected and publish.
• • The public GitHub event stream / GH Archive — commits pushed to public repositories.
• • Public vulnerability data (CVE, CISA-KEV, EPSS).

We do not use private, paywalled, or access-controlled data, and we do not attempt to obtain any.

• • We never log in, authenticate, exploit, modify, or extract data from any exposed host, database, or service.
• • We never use, validate, or authenticate with a detected credential. A match means a credential-shaped string appeared in a public commit — not that we confirmed it is live.
• • We never download or retain exposed private data.
• • We never publish individual host IPs, repository names, commit URLs, or secret values on our public pages.

To avoid false positives, before recording an internet-facing exposure we make a single anonymous, read-only request — an unauthenticated GET of a status/discovery endpoint, exactly as a browser does when loading a page — to confirm the service truly responds without authentication. If we see any sign of an auth challenge (a login page, HTTP 401/403, an authentication header, or a redirect to a login screen), or the result is inconclusive, we treat it as protected and do not report it. We never submit credentials, never send a write/modify request, and never read user data.

Detected secrets are redacted before storage — we keep only a masked sample (e.g. AKIA••••••P3) and a salted-hash fingerprint. The raw secret value is never written to our database and is never displayed — in the public surface, the internal disclosure view, or any export. Public surfaces are aggregate-only (counts by type/provider/region); host- and repo-level detail is restricted to our team solely for responsible-disclosure outreach.

Observations auto-expire when an exposure is no longer observed: internet-exposure findings are removed after 21 days without re-observation, and leaked-credential findings after 60 days. When a host is secured, a database is locked down, or a credential is rotated, the corresponding record stops being seen and is pruned — so remediated items drop off automatically.

Where we can identify an affected organisation, we aim to notify it privately through its published security or network-abuse contact, sharing only the evidence needed to remediate (e.g. the public commit URL, or the public scan record). We support coordinated disclosure and reasonable remediation windows.

If you operate an asset that appears in our data and want it excluded or removed, email security@echelongraph.io (or contact us). Include the asset identifier; we will remove matching records and can suppress future collection for it. (Remediating the exposure also clears it automatically under the retention policy above.)

The radars constitute passive security research over public data, conducted to warn affected parties and the public of real exposures. We do not access protected systems, and we handle data in line with responsible-disclosure norms and applicable law. This page is informational and not legal advice.