Quality · the part nobody markets

The findings we don't report.

A security scanner is only as trustworthy as its false-positive rate. A tool that flags noise as bugs gets uninstalled in a week. Below are the false-positive classes Lictor filters that naive scanners report as findings. We learned each one the hard way, from a real disclosure or a triager's response.

Source of truth: scripts/lictor_fp.py · shipped into @lictor/sentinel · Apache 2.0

Category 1 · HTTP response

A "200 OK" means nothing on its own

The single biggest source of scanner noise. Every one of these returns HTTP 200 to a sensitive-file probe, and every one is a false positive.

FILTERED

Catch-all hosts

Two random paths return identical 200 bodies → the server answers everything. We canary every host before trusting a hit.

FILTERED

SPA fallback

Single-page apps serve index.html for every route, including /.env. The 200 is the router, not the file.

FILTERED

JSON error envelopes

A /credentials.json returning {"success":"false"} is an API error, not exposed creds. (learned: koubei.com)

FILTERED

Soft 404 / WAF challenge

HTML 404s served with 200, and Cloudflare "Just a moment" interstitials. Both look like content, neither is.

FILTERED

Tiny JSON stub

A 14-byte credentials.json is an error blob like {"error":true}, not a real credential file.

FILTERED

Config served as HTML

.env / .git/config with a text/html content-type is a routed SPA page, not the raw file.

Category 2 · "secrets" that are public by design

Not every key is a leak

FILTERED

Sentry DSN

The Sentry browser SDK requires the DSN in client JS. It's public by design. (learned: a triager close)

FILTERED

VITE_ / NEXT_PUBLIC_ vars

Build tools inline these into the bundle on purpose. A VITE_-prefixed value is public by framework design.

FILTERED

Firebase web apiKey

The apiKey in a firebaseConfig is not a secret. Firebase's own docs say so. Filtered when seen in config context.

FILTERED

Vendor SDK bundles

Key-shaped strings inside sentry-cdn, GA, Stripe.js and other third-party bundles aren't the app's secrets.

Categories 3 to 5 · takeover, database, infra, contracts

"Reachable" is not "exploitable"

FILTERED

Customer-resource infra

A finding on *.digitaloceanspaces.com / *.herokuapp.com belongs to the customer, not the provider, so it's out of scope. (learned: a DigitalOcean triager)

FILTERED

Account-gated takeovers

A dangling CNAME to Fastly/Magento Cloud isn't claimable without an account, so it's theoretical, not exploitable. Only self-signup vendors stay HIGH.

FILTERED

MySQL with a host ACL

Port 3306 open but the server replies "Host X not allowed to connect" = reachable, not exposed. We only flag a real protocol handshake.

FILTERED

cPanel / WHM standard ports

WHM on :2087 is standard shared-hosting config. Every cPanel customer has it. Not a finding.

FILTERED

Slither weak-PRNG on modexp

MakerDAO-style _rpow / _rmul use n % 2 for bit-checking, not random numbers. A perennial Slither false positive.

Why this matters to you

Every class above is a finding a naive scanner would put in your inbox and waste your time triaging. Lictor filters them at the source, so when it does flag something, it's worth your attention. That's the whole product.

Scan your app → Install the CLI →