See the deliverable before you buy

A sample of the report you receive.

This is exactly how a Bug Circuit manual audit is written up: every issue ranked by severity, explained in plain English, with the evidence and the precise fix. Below is an illustrative example.

This is an illustrative sample with fictional data — not a real customer or a real site. Names, values and evidence are redacted or invented to show the format and depth of a real report. Your report covers your own domain, with your real findings.

The full report — as a branded PDF

A complete, multi-page VAPT report (cover, executive summary, methodology, findings, remediation roadmap) — the exact document you receive.

Website Security Audit

northwind-store.example (sample)

Manual audit · by a human engineer
6 findings · 1 critical, 2 high
1
Critical
2
High
2
Medium
1
Low
0
Info
CriticalBC-01

Any logged-in user can read any other customer’s orders (IDOR)

Order history API · /api/orders/{id}

What we found

The order endpoint returns an order purely from the ID in the URL, without checking the order belongs to the logged-in user. Incrementing the ID returned other customers’ orders — names, addresses, phone numbers and items.

Why it matters

A single logged-in customer could scrape every order in the store: a mass personal-data breach and a direct GDPR/privacy incident. No special tools needed — just changing a number in the address bar.

Evidence (redacted)
GET /api/orders/10432  →  200 OK  (belongs to a different account)
{ "customer": "REDACTED", "email": "r•••••@•••••.com", "address": "REDACTED" }
How to fix it

Enforce an ownership check server-side: the order’s customer_id must equal the authenticated session’s user id. Return 404 (not 403) for orders that aren’t theirs so IDs can’t be enumerated.

HighBC-02

Admin data-export endpoint reachable without authentication

Admin export · /admin/export/customers.csv

What we found

The CSV export route was protected in the admin UI (the link was hidden) but the endpoint itself had no auth check. Requesting the URL directly returned the full customer list.

Why it matters

Anyone who guesses or finds the URL downloads your entire customer database. “Hidden” is not “protected” — search engines and attackers both find unlinked endpoints.

Evidence (redacted)
GET /admin/export/customers.csv  (no session cookie)  →  200 OK, 3•••2 rows
How to fix it

Gate the endpoint with the same server-side admin session check as the rest of /admin — authorise the request, not just the button that links to it.

HighBC-03

Outdated plugin with a known remote-code-execution vulnerability

CMS · contact-form plugin v4.1.2

What we found

The site runs a contact-form plugin two major versions behind. The installed version has a publicly documented vulnerability (CVE reference in the full report) that allows uploading and executing code.

Why it matters

Automated bots scan for exactly this. Left unpatched, it’s one of the most likely ways the site gets fully compromised — attacker code running on your server.

Evidence (redacted)
Detected version 4.1.2 · fixed in 4.3.0 · public exploit available
How to fix it

Update the plugin to the latest release immediately, then set up a monthly update review. Remove any plugins you don’t actively use.

MediumBC-04

Verbose errors leak stack traces and framework versions

Application error handling

What we found

Triggering an error on the checkout page returned a full stack trace, the framework version, and internal file paths.

Why it matters

Hands an attacker a map of your stack and exact versions to target, and can expose secrets embedded in code paths. It also looks unprofessional to a curious customer.

Evidence (redacted)
POST /checkout (malformed input)  →  500, stack trace incl. “/var/www/•••/app/services/•••.php:214”
How to fix it

Show a generic error page to users; log the detail server-side only. Disable debug mode in production.

MediumBC-05

Missing security headers (CSP, HSTS, frame protection)

HTTP response headers

What we found

The site sends no Content-Security-Policy, no Strict-Transport-Security, and no X-Frame-Options / frame-ancestors.

Why it matters

Raises the blast radius of any cross-site scripting bug, allows the site to be framed for clickjacking, and permits downgrade attacks on the connection.

Evidence (redacted)
Response headers: (Content-Security-Policy absent) · (Strict-Transport-Security absent) · (X-Frame-Options absent)
How to fix it

Add a Content-Security-Policy, HSTS (with preload once confident), and frame-ancestors ‘none’. We provide the exact header values to paste in.

LowBC-06

TLS configuration allows a weak, deprecated protocol

Transport security

What we found

The server still negotiates TLS 1.0 and a small set of weak cipher suites alongside the modern ones.

Why it matters

Modern browsers won’t use them, but their presence weakens your posture and fails some compliance checklists customers may run on you.

Evidence (redacted)
Enabled: TLS 1.0, TLS 1.2, TLS 1.3 · weak ciphers offered: 2
How to fix it

Disable TLS 1.0/1.1 and the weak ciphers; keep TLS 1.2 and 1.3 only.

What every report includes

Beyond the findings above, your report opens with a plain-English executive summary you can forward to a non-technical stakeholder, and closes with a prioritised fix list — what to do first, second, third. On the Signal plan we go further and fix the high and critical issues with you, then re-test to confirm they’re closed.

It’s a document you can hand to a developer to act on, or share with a customer who asked for proof that your site was tested.

Keep reading

Want this for your site?

Start with the free scan, or get the full manual report from $49 — every finding written up exactly like the sample above.

Passive recon only. No login, and no impact on your site. Deeper testing needs domain verification.

Ready for the full manual audit? See transparent pricing →