Acceptable Use Policy

You may scan only domains, URLs, hosts, APIs, applications, and other resources that you own or control, or for which you hold explicit, current, written permission from the lawful owner to perform the exact testing at issue.

You must keep your authorization documents and scope definitions current. Blanket assumptions, implied consent, shared hosting access, bug bounty aspirations, or public availability of a website do not count as authorization.

You are responsible for ensuring that the targets you enter and the infrastructure they touch are within the scope of your authorization. You may not use VibeShield to test or affect:

• third-party services, vendors, or SaaS systems outside scope;
• shared infrastructure, hosting neighbors, CDNs, mail providers, or managed databases you are not separately authorized to assess;
• client environments unless your client has expressly approved the specific testing and scope; or
• any target that becomes out of scope because authorization expires, is revoked, or is disputed.

You may not use VibeShield for any of the following:

• testing third-party assets without written authorization;
• phishing, social engineering, pretexting, credential harvesting, or impersonation;
• brute-force attacks, password spraying, credential stuffing, or attempts to bypass authentication by volume;
• malware delivery, remote code execution payloads, persistence, shell deployment, or backdoor installation;
• denial-of-service, traffic flooding, resource exhaustion, queue saturation, or other service degradation techniques;
• data exfiltration, downloading bulk records, or collecting more data than minimally necessary to confirm a finding;
• attempts to hide origin, conceal identity, defeat logging, evade rate limits, or bypass provider restrictions;
• using findings to exploit, extort, shame, threaten, trade on, or publicize vulnerabilities without authorization; or
• any unlawful, harmful, deceptive, or unethical activity.

Unless you have a separate written agreement with VibeShield that expressly allows it, you may not use the service to test:

• government, law enforcement, defense, or election-related systems;
• critical infrastructure or industrial control systems;
• healthcare, medical, or safety-critical environments where disruption could create patient or public risk;
• financial services, payment processing, lending, or insurance systems operated for third parties;
• educational systems, child-directed services, or systems primarily involving minors’ data; or
• targets subject to legal hold, active incident response, or known production instability.

If a scan exposes credentials, tokens, regulated data, personal information, health data, payment data, customer records, secrets, or confidential files, you must stop any further collection beyond the minimum needed to validate the issue.

You may not use VibeShield to intentionally harvest, store, disclose, or monetize exposed data. You are responsible for handling scan outputs securely and limiting internal access to a need-to-know basis.

You must cooperate promptly with any abuse, legal, compliance, or incident-response inquiry relating to your use of the service. This includes identifying the target owner, providing evidence of authorization, clarifying scope, and stopping scans immediately if we instruct you to do so.

We may reject, rate-limit, suspend, or permanently block any user, target, workspace, or traffic pattern that we believe violates this policy or creates legal, safety, or reputational risk.

We may preserve and disclose logs and related information to affected parties, service providers, or authorities where reasonably necessary to investigate misuse, respond to legal requests, or protect people, systems, and the service.

This Acceptable Use Policy supplements and forms part of the Terms of Service. If there is a conflict, we may apply the stricter rule.