| Latency | Contracts | Price/TB $SC | Score | Region | Host Key |
|---|---|---|---|---|---|
| No probe data | |||||
| Host Key | Storage | Usability |
|---|---|---|
| No contracts | ||
| Agent | Tier | Balance |
|---|---|---|
| — | ||
| Agent | Type | Amount | When |
|---|---|---|---|
| — | |||
Cumulative security posture across all audits. Most recent on top. Click any card to expand details.
| # | Severity | Finding | Impact |
|---|---|---|---|
| 1 | CRITICAL | Billing 30x overcharge — no daily pro-ration | Agents charged $60/TB instead of $2/TB |
| 2 | MEDIUM | Credit endpoint not idempotent (tx_hash ignored) | Double-credit risk on watcher state loss |
| 3 | LOW | No transaction wrapping in adjust_balance | Balance drift on concurrent writes |
| 4 | MEDIUM | Agent registration unauthenticated (public) | Registration spam / abuse vector |
| 5 | LOW | Share endpoint leaks renterd internals | Info disclosure if share token leaks |
| 6 | INFO | No deposit minimum enforced | Dust deposits create unbillable balances |
| # | Severity | Finding | Fix |
|---|---|---|---|
| C1 | CRITICAL | Slow Read DoS — 200 concurrent connections make gateway unresponsive in ~2s | nginx reverse proxy with timeouts |
| C2 | CRITICAL | S3 bucket enumeration — :8080 lists all buckets without auth | Firewall :8080 to localhost only |
| H1 | HIGH | 10 missing security headers (HSTS, CSP, X-Frame-Options, etc.) | nginx add_header directives |
| H2 | HIGH | Server version disclosure (uvicorn, SimpleHTTP/0.6) | Override Server header in nginx |
| H3 | HIGH | 40 urllib dynamic URL injection (file:// scheme risk) | Switch to requests library |
| H4 | HIGH | 15 insecure transport (HTTP instead of HTTPS) | Enforce HTTPS, validate certs |
| M1 | MEDIUM | CORS wildcard on S3 gateway | Restrict origins |
| M2 | MEDIUM | API docs exposed (/docs, /openapi.json, /redoc) without auth | Gate behind admin token |
| M3 | MEDIUM | Unauthenticated /health & /metrics | Rate-limit or auth |
| M4 | MEDIUM | 7 SQL injection risks (raw execute + formatted SQL) | Parameterized queries |
| M5 | MEDIUM | Dashboard on SimpleHTTP — not production-grade, trivial DoS | nginx static file serving |
| Scope | Tool | Result |
|---|---|---|
| SAST | Bandit 1.9.4 | 0 HIGH, 29 MEDIUM (all false positives — hardcoded localhost URLs), 17 LOW |
| Dependencies | pip-audit 2.10.1 | ✓ No known vulnerabilities |
| Secrets | gitleaks 8.16.0 | 0 real secrets (193 hits in .venv/ fake tokens) |
| Infra | Manual port scan | Gateway :8000 + Dashboard :8001 on 0.0.0.0 — behind Caddy ✓. renterd :9980 localhost ✓ |
Items actively under development: