This is an incredible tool, thank you!
1 Like
Just shipped an improvement here that should reduce this false positive 
Thank you so much! Hope you find it useful.
In case anyoneās curious, the short term roadmap (before the end of the year) includes:
- automated privacy rule testing for multiple user types (the data explorer allows this but you need to look manually)
- more accurate backend workflow analysis with editor access, that takes into account the contents of backend workflows
- a handful of other minor checks that nobody else in the ecosystem checks for
- the fastest and most user friendly logs interface + backup in the ecosystem
Iām open to shifting based on feedback to see what would be most useful for people here!
4 Likes
Thanks for this George.
As someone else said, Bubble needs to hire you 
4 Likes
Yes, but first they need to not shut down his app.
- Things You May Not Do:
A. You may not make unauthorized copies, modify, adapt, translate, reverse engineer, disassemble, decompile or create any derivative works of the Platform or any content included therein, including any files, documents, postings, or documentation provided by Bubble or any other user of the Bubble Platform (or any portion thereof).
B. You may not determine or attempt to determine any source code, algorithms, methods or techniques embodied by the Platform.
and
E. You may not develop, support or use software, devices, scripts, robots or any other means or processes (including crawlers, browser plugins and add-ons or any other technology) to scrape the Platform or otherwise copy profiles, request for proposal descriptions, and any other data from the Platform.
and perhaps most importantly:
L. You may not use Bubble to violate the security or integrity of any network, computer or communications system, software application, or network or computing device (each, a āSystemā). Prohibited activities include, but are not limited to:
1. Unauthorized Access. Accessing or using any System without permission, including attempting to probe, scan, or test the vulnerability of a System or to breach any security or authentication measures used by a System;
Let me repeat that:
- Unauthorized Access. Accessing or using any System without permission, including attempting to probe, scan, or test the vulnerability of a System or to breach any security or authentication measures used by a System;
I think he might be able to get hired by Bubble like he is intending to, but the first step would be to comply with their policies and go from plainly illegal (the app in the current state) to just slightly illegal (the app + requiring permission to scan).
1 Like
Bubble already knows about NQU Secure and is happy for third party security tools to be in the ecosystem
To quote them, their main point of sensitivity regarding third party security tools is requiring ownership verification, which we have done. They said that the acquisition of Flusk was not meant to suppress third party security offering, but be an official option. Successful ecosystems like AWS have a mixture of in-house and third party offerings, and Bubble can too as thatās healthy all around.
Theyāre smart people and know that security platform-wide can improve, and are taking steps to let that happen.
Thanks anyway for your feedback.
13 Likes
This looks the part @georgecollier! I got quite frustrated using Fluskās UI so am glad of another option, not so glad of just how many errors itās found haha. To quote the great Desāreeā¦ āLife, oh lifeā.
Suppose Iād better get clicking!
1 Like
Yeah so this is one of the pain points I identified (though I have no doubt @vnihoul77 @wesleywsls recognise this and will already have plans to improve it) - where it kind of feels slow / clunky. I tried to make it dead simple to use so you can easily scan through issues and prioritise what matters to you.
1 Like
Itās much appreciated 
Had seen you posting about your backup tool previously but not actually looked into it too much, and that seems to now be incorporated too. Very robust, youāve done a real service for everybody here.
Hi everyone, Iām stopping by to share more context related to concerns around this tool:
Bubble is definitely aware of what George is doing. Weāre excited to see third-party tools like this popping up, and itās awesome to have folks contributing to making the ecosystem better for everyone!
On the ToS concerns, donāt worryāBubbleās got it covered. Letās keep the conversation constructive and focus on how we can all benefit from these innovations.
24 Likes
Oh @fede.bubble The voice of reason 
Anything that moves Bubble up the dial on security & maturity is good for everyone.
9 Likes
Hey Fede thank you for chiming in. Just to be clear, when you say this do you mean:
- Bubble is aware of this and will be recommending verification before allowing a summary view
or
- Bubble is aware of this and will be making a one-time exception for their own ToS
Itās Bubbleās business what they choose to do but they wonāt endorse/permit anything explicitly for obvious reasons.
Donāt worry about it. Remember, if they want to shut it down, my app is built on Bubble, so the off switch is right in front of them and theyād be well within their right to hit it.
As Fede says, focus on the benefits and if Bubble has problems you know theyāll come to me about it!
āā
In other news, today Iām adding a check to page redirects - not only will we check the visible contents of redirected page, but weāll check invisible elements on a page. Invisible elements can be made visible, so well simulate that when determining if a page is secure.
5 Likes
What do you mean by these statements?
I havenāt posted in quite some time, and from the looks of this thread, I havenāt missed a thing because everything, including literally the same interaction going on here, has been done before.
@randomanon, if it helps (spoiler alert: Iām guessing it wonāt), you can stop pulling at that particular thread. When Flusk did their thing, I communicated directly with Josh himself, I pointed out that what they were doing was likely against Bubbleās own terms of service, and in the end, as I predicted (yeah, tooting my own horn there, but come on, that was a pretty impressive call, if I do say so myself), Flusk got acquired.
Now, to be clear, George is definitely not Flusk, and if you read the linked thread, you will probably get what I mean. That being said, and to try to add some value here, I still believe that nobody should be able to scan an app they donāt own, regardless of what is shown to them (i.e., only a summary) as a result of the scan. @georgecollier, just another opinion for you to consider.
Anyway, thatās all I got. We now return you to history repeating itself, sans the incessant ramblings of, well, me.
Bestā¦
Mike
17 Likes
Thatās what makes the forum great.
7 Likes
Welcome back! From the ashes, he risesā¦
This has been added! In the near future, I may allow you to view screenshots of pages in your app with all of the elements forced visible so that you can see how an attacker might use hidden buttons in places like admin panels and why adding conditions to workflows is improtant.
3 Likes
We miss you Mike 
7 Likes
Hi Mike 
3 Likes
The Visibility Scanner will shortly allow you to view any of your pages as a hacker could - with everything visible. An attacker could click any button on your page, and itāll only be safe if protected by a workflow condition.
The purpose of this tool is to make people more likely to understand that invisible on page load does not protect your page, and conditions on workflow events are necessary.
Check out the hidden sections of the NQU Secure homepage:
5 Likes
I think this is worse because you canāt even opt out of your information being sent to third party providers like OpenAI, OpenRouter, etc. So youāre essentially streaming proprietary data you donāt have the rights to to another provider, which breaks that providerās ToS as well. There are so many layers of illegality here, it honestly boggles the mind. Really concerning if @josh and @emmanuel are aware of the current implementation and are totally OK with it.
Good to see there is at least one other sane person on this forum. And of course it would be one of the legendary OGs.
Again, two simple fixes:
- No summary before verification
- A setting that toggles LLM-based analysis which is turned off by default (when scanning without verification)
Theyāre good ramblings though!
2 Likes