Please report a vulnerability to [email protected].

• Firebase initialization tokens. The Firebase tokens are really public: they must be included into client applications and consequently are not private by design.
• Exposed /pprof or /expvar. We know they are exposed. It's intentional and harmless.
• Exposed Prometheus metrics /metrics. Like above, it's intentional and harmless.