Project Broken Mirror

About the Data

What the map represents, how data is collected, and how to interpret both responsibly.

Scope & Boundaries

  • PBM is not a penetration-testing or hacking service.
  • We do not exploit vulnerabilities, compromise systems, or cause service outages.
  • All scanning is non-exploitative and non-disruptive; our disclosure process protects those at risk.

Safety, Privacy, & Legal Controls

  • Non-exploitative by design; no state-changing requests
  • Rate-limited scanning; auto-backoff heuristics
  • Responsible disclosure workflow (owner notification → remediation window → public summary if needed)
  • Data minimization: exclude sensitive content (no page bodies beyond headers/metadata unless whitelisted for research)
  • PII guardrails: hash/strip where possible; never store credentials
  • Redaction policies for public datasets (e.g., remove path details for sensitive systems)

Collection Method

  • We rely on metadata and responses that are publicly available from internet-facing systems.
  • No credentialed access and no exploitation.
  • Where scanning is used, it is designed to be low-impact and informational.

Scoring

  • Inputs: State, County, City (optional), OrgType, OrgName, Domain, Subdomain, SubType, SubInt, SubSource, DNSWC, CTWC, IPAddress, IPPortOpen, IPState (Safe, Warn, Bad), IPSvc, IPFinger, EndPoint, EndPointPath, EndPointInt, VulnName, VulnEvidence, VulnSev (None, Low, Moderate, High, Critical), VulnCVSS (if known). Changes and others TBD.
  • Categories: Subdomains, Endpoints, IP Addresses, and Vulnerabilities.
  • Output: standardized 300–850-style index per entity + confidence band
  • Transparency: publish method & weights; track score provenance per release

Limitations

  • Internet-facing assets change frequently (deployments, hosting providers, DNS, CDNs, etc.).
  • Some organizations intentionally block or rate-limit public probing, reducing visibility.
  • Geographic attribution can be imperfect for shared services and third-party hosting.
  • False positives/negatives are possible; validation and peer review improve accuracy.

Updates & Versioning

Last updated: January 15, 2026

The “Last updated” date reflects the most recent published build of the map. When data is refreshed, the map output file is regenerated and published.