NO DMARCEXPOSED .ENVOPEN .GITMALWAREDATA THEFTDDoS THREATSEO SPAMWEAK TLSMISSING HSTSPAY UP OR ELLSENO DMARCEXPOSED .ENVOPEN .GITMALWAREDATA THEFTDDoS THREATSEO SPAMWEAK TLSMISSING HSTSPAY UP OR ELLSE
A giant neon-green swamp tardigrade blasting a glowing beam at extortionist bugs labeled SEO Spam, Malware, Data Theft, DDoS Threat and 'Pay Up Or Else'.

Scan your app for the low-level bullshit. Free.

https://

Free scan, no signup. See every problem in ~20s — pay $5 only if you want the fixes. Only scan a domain you own.

The tardigrade doesn't die.

It survives radiation, boiling, freezing, and the vacuum of space. It's also deeply stupid. Boring, indestructible, impossible to shake down. Be the tardigrade.

Meet the swamp's bad actors →
80%

of "bounty" reports to small apps are low-level config, not real vulns

30s

is all it takes a script kiddie to run a scanner and draft a ransom email

$5

vs. the $500+ these emails typically demand

What the scan looks at

Every check maps to something a lowlife would screenshot and demand money for. You see all of it free.

Email spoofing

SPF · DKIM · DMARC

The #1 shakedown. No DMARC means anyone can send phishing that looks like it's from you. We check all three records.

Exposed files & secrets

.env · .git · keys

A public .env or downloadable .git folder is the classic "pay me or I leak it" email. We probe for the files that get vibe-coded apps ransomed.

Security headers

HSTS · CSP · more

Missing HSTS, no Content-Security-Policy, clickjacking-friendly headers — free findings for anyone running a scanner against you.

TLS & HTTPS

certs · redirects

Expired certs, http:// that doesn't upgrade, weak TLS versions. Ugly browser warnings and easy bounty-report fodder.

Cookies

Secure · HttpOnly

Session cookies missing Secure/HttpOnly/SameSite flags are stealable. We flag every cookie that's dressed wrong.

DNS hardening

DNSSEC · CAA

DNSSEC off and no CAA record round out the checklist a "researcher" will pad their extortion email with.

How it works

1

Scan free

Drop your domain. In about 20 seconds you see every low-level problem — no signup, no card.

2

See what's broken

A plain-English list of everything a lowlife could screenshot and try to shake you down for.

3

Unlock the fixes — $5

Get the exact fix for each issue plus one copy-paste prompt you hand straight to your AI (Cursor, Claude, v0) to fix it all.

Why we built this

Someone tried to extort us over a DNS record.

Yesterday evening we got a friendly-looking email. Someone had “found a security issue” on one of our sites and asked, politely, whether we ran a bug bounty. We don't. We said thanks and that we'd take a look.

Within the hour it turned. “Pay me, or I disclose this publicly and start emailing your users.” A harmless favor became a shakedown, fast.

The “critical vulnerability”? A missing DMARC record. One line of DNS. Five minutes and zero dollarsto fix — if you even know it's there. We didn't. So we lost an evening to a TXT record.

That's stupid, and it happens to people shipping fast every day. Nobody should get extorted over config they never knew was missing. So we built buckingfugs to find the low-level stuff a shakedown artist finds — before they do.

— the buckingfugs crew · still a little annoyed
Scan free · unlock the fixes
$5one time

Charged only when you unlock a report.

  • The exact fix for every issue found
  • One copy-paste prompt for your AI to fix it all
  • Tailored to your stack (Next, Express, Nginx…)
  • Re-scan any time to confirm you're clean
  • No account, no subscription
https://

Free scan, no signup. See every problem in ~20s — pay $5 only if you want the fixes. Only scan a domain you own.

Straight answers

So the scan is actually free?

Yep. You see every finding for free — what's wrong and the proof. The $5 unlocks the how-to-fix: exact steps per issue and a copy-paste prompt for your coding AI.

What do I actually get for $5?

For each problem: the precise fix (the DNS record to add, the header to set, the file to lock down) plus one master prompt you paste into Cursor / Claude Code / v0 / ChatGPT that tells it to fix everything, tailored to your stack.

Is this real hacking / a pentest?

No. Passive, non-intrusive checks only — reading your DNS records and public HTTP responses. Nothing gets attacked or broken. It's the low-level hygiene layer, not a red team.

Can I scan any website?

Only domains you own or control. It's your app's hygiene we're checking — not someone else's.

Will this make me un-hackable?

Nope, and anyone who says that is lying. This covers the low-level BS — the ~80% of "findings" that are just missing config. It makes you a boring target instead of a profitable one.