What is Lonkero and who is it for?

Lonkero is a professional-grade security scanner built with Rust. It's designed for penetration testers, security professionals, and organizations looking to map and test their attack surface. Lonkero is 5× faster than traditional scanners and produces 95% fewer false positives.

Can I try Lonkero before buying?

Yes! We offer a free tier that includes 10 scan targets, 8 basic modules, and community support. You can download the free version from our website or install it directly with 'cargo install lonkero'. The free version is available forever with no time limits.

What's the difference between Personal and Commercial use?

Personal use is intended for individual users learning and practicing on their own. Commercial use (Professional, Team, Enterprise) is for business use, client projects, and commercial penetration testing. Commercial licenses include more modules, targets, and support.

How do payment and licensing work?

All payments are processed securely through Stripe. Licenses are annual. After payment, you'll receive your license key via email immediately.

Do you offer refunds or money-back guarantee?

We do not offer refunds for paid licenses. We recommend trying the free version first to ensure Lonkero meets your needs. The free version gives you a good sense of the tool's functionality and performance.

What kind of support do I get with my license?

The free tier includes community support via GitHub. Personal and Professional tiers include email support. Team and Enterprise tiers include priority email support. All support requests are handled within 1-2 business days on weekdays.

How many targets can I scan with Lonkero?

The Free tier includes 10 scan targets. All paid licenses (Personal, Professional, Team, Enterprise) include unlimited scan targets. One 'target' means one domain or IP address you want to scan.

Does Lonkero work with all technologies?

Lonkero supports over 125 different scanners and technology stacks. We support modern technologies like React, Next.js, Vue, Angular, GraphQL, REST APIs, container technologies, cloud services (AWS, Azure, GCP), Django, Laravel, Express, Rails, and much more.

>Privacy Policy_

Name: Lonkero
Rating: 4.8 (50 reviews)
Author: Bountyy Oy

Bountyy Oy

Business ID: 3504521-7

Address: Nuolitie 9, 01740 Vantaa, Finland

Effective: December 17, 2025

1. Introduction

Bountyy Oy is committed to protecting your privacy and processing your personal data securely and transparently. This privacy policy describes how we collect, use, and protect data in connection with the use of Lonkero software.

Lonkero is a web vulnerability scanner that operates locally on the user's device. The software communicates with Bountyy Oy's license server for license validation, scan authorization, and result signing. The server is managed by Cloudflare Workers.

We comply with the EU General Data Protection Regulation (GDPR) and applicable legislation in Finland.

2. Data Controller

The data controller for your personal data is:

Bountyy Oy

Business ID: 3504521-7

Address: Nuolitie 9, 01740 Vantaa, Finland

Email: info@bountyy.fi

3. Data We Collect and Sources

3.1 Data Collected During License Validation

When Lonkero starts, it sends the following data to the license server:

User-provided data:

License key (if using a paid license)
Scanner version

Automatically collected data:

Device identifier (hardware_id) - SHA-256 hash of unique device identifiers
IP address (via Cloudflare)
Country code (Cloudflare CF-IPCountry header)
ASN number (network operator identifier)

3.2 Data Collected During Scan Authorization

Before scanning, the software requests authorization from the server:

Device identifier (hardware_id)
Number of targets to be scanned
Identifiers of scan modules to be used
License key (if applicable)
Scanner version

3.3 Data Collected During Result Signing

After scanning, the software requests result signing:

BLAKE3 hash of results (64-character hexadecimal string)
Authorization token (previously received)
Device identifier
Timestamp
Random value (nonce)
Identifiers of modules used
Scan duration in milliseconds
Number of targets scanned

3.4 Data Collected During License Purchase

License purchases are made through Stripe. During the payment transaction, Stripe collects:

Name
Email address
Billing address
Payment details (card details or bank connection)
Business ID (business customers)

Bountyy Oy does not store or process payment data. Stripe acts as an independent data controller for payment data. Stripe's privacy policy: Stripe Privacy Policy

3.5 Website Analytics

This website collects minimal usage statistics with your consent via Cloudflare Workers. When you visit the site, we collect:

Page pathname (e.g., /en, /en/pricing)
Timestamp of visit
IP address (automatically collected by Cloudflare Workers for request processing)
ASN (Autonomous System Number) - network identifier

How we handle this data:

IP addresses are used for geolocation (country-level only) and then discarded
ASN is used to identify hosting providers and networks
No personal identifiers are stored or linked to individuals
Does not use cookies for tracking
Does not track users across websites
Data is aggregated for statistical analysis only
GDPR compliant - data is minimized and anonymized

You can withdraw your consent at any time by declining cookies in the banner or clearing your browser's local storage.

3.6 Data NOT Collected

Lonkero does not send to the server:

Actual scan results or discovered vulnerabilities
Scanned URLs or domain names
Technical information about target systems
User files or browsing history
Passwords or credentials

Only the hash of scan results is sent to the server, from which it is impossible to derive the original content.

4. Purposes and Legal Bases for Data Processing

4.1 License Management

Purpose: Ensure the user has a valid license
Data: License key, device identifier
Legal basis: Contractual relationship (GDPR Art. 6(1)(b))

4.2 Module Authorization

Purpose: Ensure the user only uses features included in the license
Data: Module identifiers, device identifier
Legal basis: Contractual relationship (GDPR Art. 6(1)(b))

4.3 Result Signing

Purpose: Prove that scan results were produced by authentic Lonkero
Data: Result hash, timestamp, module information
Legal basis: Contractual relationship (GDPR Art. 6(1)(b))

4.4 Abuse Prevention

Purpose: Prevent service abuse and circumvention of license terms
Data: IP address, ASN number, device identifier
Legal basis: Legitimate interest (GDPR Art. 6(1)(f))

4.5 Service Development

Purpose: Analyze usage and improve the software
Data: Aggregated and anonymized statistics
Legal basis: Legitimate interest (GDPR Art. 6(1)(f))

5. Aggregated Statistics

We collect anonymous usage statistics for service development:

Daily statistics (retention period 90 days):

Total number of requests
Number of unique users (counter, no identifiers)
Distribution of license types (Free, Professional, Team, Enterprise)
Scanner version distribution
Geographic distribution (countries)
Network operator distribution (ASN numbers)

Global statistics (retention period 1 year):

Total number of scans
Number of successful signatures
Average scan duration
Total number of targets scanned
Module usage statistics

6. Authorization and Signing Process

6.1 License Validation

When the scanner starts, license validity is checked. The server returns information about the license type, available features, and maximum allowed target count.

6.2 Scan Authorization

Before scanning, the software requests authorization from the server. The server checks:

Whether the user is blocked (IP, ASN, or device identifier)
Whether the requested target count is within license limits
Whether the requested modules are allowed for the user's license type

For approved requests, a signed authorization token is returned, valid for 6 hours.

6.3 Module Validation

The server validates each requested module separately:

Free license: 8 basic modules
Personal license: 20 modules (+ CMS)
Professional license: 81 modules
Team license: 94 modules
Enterprise license: 121 modules

6.4 Result Signing

After scanning, the software requests result signing. The server verifies:

Authorization token validity and integrity
That used modules are included in authorized modules
Timestamp and random value to prevent replay attacks

For approved requests, an HMAC-SHA512 signature is returned, proving the authenticity of results.

7. Device Identifier (Hardware ID)

The device identifier is created by calculating a SHA-256 hash from the following data:

Network card MAC address
Processor identifier
Hard drive identifier

Due to the one-way nature of hash functions, original data cannot be derived from the identifier. The identifier remains the same on the same device and changes when hardware changes.

8. Data Retention Periods

Data Type	Retention Period
License data	License validity period + 1 year
Daily statistics	90 days
Global statistics	1 year
Block data (ban)	Until manually removed
Device identifier tracking	2 days

9. Data Location and Transfers

Data is processed in the following locations:

Server: Cloudflare Workers (global edge network, EU-primary)
Data store: Cloudflare KV (distributed key-value database)
Payment processing: Stripe, Inc. (Finland)

Cloudflare complies with GDPR requirements and offers standard contractual clauses that meet EU data protection requirements.

Stripe is an international payment service that processes payments securely.

10. Data Security

We use the following technical and organizational security measures:

HTTPS/TLS encryption for all data traffic
HMAC-SHA512 signature algorithm (quantum-safe)
Rate limiting to prevent abuse
Signed authorization tokens (6-hour validity)
IP and ASN-based blocking system
Fail-closed principle: access is denied in error situations

11. Data Subject Rights

Under GDPR, you have the following rights:

Right of access: Right to know whether your personal data is being processed and what data is stored about you
Right to rectification: Right to request correction of inaccurate data
Right to erasure: Right to request deletion of your data
Right to restriction: Right to restrict processing of your data in certain situations
Right to data portability: Right to receive your data in machine-readable format
Right to object: Right to object to processing based on legitimate interest

You can exercise your rights by contacting us by email: info@bountyy.fi

12. Changes to Privacy Policy

We reserve the right to update this privacy policy. Significant changes will be communicated:

By email to registered license holders
In software update notifications
On our website

13. Supervisory Authority

If you believe your personal data has been processed in violation of data protection legislation, you can file a complaint with the supervisory authority:

Office of the Data Protection Ombudsman

Visiting address: Lintulahdenkuja 4, 00530 Helsinki

Postal address: P.O. Box 800, 00531 Helsinki

Phone: +358 29 566 6700

Email: tietosuoja@om.fi

Website: https://tietosuoja.fi

14. Contact Information

For questions regarding data protection, you can contact:

Bountyy Oy

Business ID: 3504521-7

Address: Nuolitie 9, 01740 Vantaa, Finland

Email: info@bountyy.fi

This privacy policy was updated December 17, 2025