1. Introduction
This Acceptable Use Policy (“AUP”) describes how you may and may not use the Vezraa Service. It supplements and forms part of the Vezraa Terms of Service and Privacy Policy. Defined terms have the meanings given in the Terms.
Vezraa is a security-scanning platform. The same capabilities that make it useful for defending an application — finding misconfigurations, leaked secrets, weak headers, broken access control — could be misused to attack one. This AUP exists so we can keep the Service safe for everyone who uses it the right way.
2. What you must do
While using the Service, you must:
- Only scan websites, applications, repositories, or systems you own or have obtained explicit, demonstrable authorization to test.
- Complete domain ownership verification when prompted, and keep that verification valid (re-verify after a domain transfer).
- Use scan results responsibly: validate findings before acting on them, fix issues you confirm, and protect raw scan output from disclosure outside your team.
- Keep your account credentials, OAuth tokens, and API keys secret. Notify udayakirantumma@gmail.com immediately of any suspected compromise.
- Comply with all laws applicable to you and to the targets you scan, including India's Information Technology Act 2000, the US Computer Fraud and Abuse Act, the UK Computer Misuse Act 1990, EU Directive 2013/40/EU, and equivalent local laws.
- Provide notice to and obtain consent from end-users, employees, or data subjects whose data may be observed during a scan, where required by privacy law.
3. What you must not do
You must not, and must not permit any third party to:
- Scan, probe, test, or analyze any website or system you do not own or have not been expressly authorized to scan.
- Use, share, or sell scan results to gain unauthorized access, exploit a vulnerability, install malware, or conduct any malicious, fraudulent, or harmful activity against any person, system, or organization.
- Use the Service to harass, threaten, defame, stalk, dox, discriminate against, or harm any individual or group.
- Attempt to circumvent, disable, or work around our rate limits, paywalls, plan quotas, access controls, encryption, watermarks, or any other technical restriction.
- Reverse-engineer, decompile, disassemble, decrypt, or attempt to derive the source code, algorithms, signatures, or trade secrets of the Service or its scanning engine, except to the extent expressly permitted by mandatory law.
- Resell, sublicense, lease, rent, redistribute, frame, white-label, or otherwise commercially exploit the Service or its output without our prior written agreement.
- Upload, submit, or transmit any content that is unlawful, infringing, harmful, deceptive, defamatory, obscene, hateful, or that contains malware, viruses, or ransomware.
- Impose a disproportionate or unreasonable load on our infrastructure, interfere with other users' access, or endanger the security, integrity, or availability of the Service.
- Use the Service in violation of any applicable export-control, sanctions, anti-bribery, anti-money-laundering, data-protection, or consumer-protection laws.
- Use the Service to develop, design, manufacture, or produce nuclear, chemical, biological, or missile weapons, or any other weapon of mass destruction.
- Misrepresent your affiliation with any person, organization, or government when using the Service or its output.
- Use the Service to test government, military, election, healthcare, financial-services, or industrial-control systems without our prior written consent and a separately executed master services agreement.
4. Scanning rules
Free scans run with a lightweight read-only profile. Paid plans include “active-pentest” probes — small, well-known test payloads (header checks, redirect-target tests, content-type sniffing checks, read-only authentication-flow checks) intended to be safe for a healthy production site. The Service is non-destructive by design. We do not knowingly perform actions that change state on your application beyond what you have explicitly invited (such as the GitHub PR auto-fix flow).
Even so, scans involve sending real HTTP and DNS requests. Before scanning, you should:
- Confirm you own the target and that scanning will not breach any contract, terms of service, or law applicable to the target.
- Notify your hosting provider, WAF, and any incident-response stakeholders if you expect them to react to scan traffic.
- Avoid scanning during peak production-traffic windows if your application has tight performance margins.
5. Automation, APIs & rate limits
You may access the Service programmatically only through our documented APIs, our CLI, and the Vezraa MCP server. You must respect documented rate limits and any plan quota. Specifically, you must not:
- Use scrapers, headless browsers, or generic bots to crawl marketing or dashboard pages of the Service.
- Open multiple accounts or use disposable email addresses to evade limits or quotas.
- Share API keys across organizations to evade per-account quotas.
- Run automated scans of third-party domains in bulk, including bulk scans of top-domain lists, customer lists, or any list of domains you have not individually authorized to test.
We may rate-limit, throttle, or temporarily block requests that exceed reasonable automated-use thresholds. Repeated violations may lead to permanent termination.
6. Content & data uploaded to the Service
You retain ownership of the content you submit to the Service (URLs, repository data, configuration, credentials), as set out in the Terms. By submitting, you confirm that you have the rights to do so and that submission does not violate any contract, license, or law. You should redact secrets and personal data of third parties from any free-form content you submit (for example, support correspondence) where you can.
We treat your content as confidential and use it only to deliver the Service. See the Privacy Policy for full details.
7. AI / model training restrictions
You must not use the Service or any output of the Service to train, fine-tune, evaluate, or benchmark any machine-learning model, large-language model, or competing security-scanning product. We do not use your scan content to train any model on our side either; see the “AI processing” section of the Privacy Policy.
8. Competitor research
You may not access the Service in order to build a competing product, copy our scanning rules or rule organization, replicate our API surface, or extract our prompt templates. You may not publish performance benchmarks, comparative reviews, or competitive analyses of the Service without our prior written consent.
9. Reporting abuse & vulnerabilities
- Abuse of the Service. If you believe someone is using Vezraa in violation of this AUP, email udayakirantumma@gmail.com with the URL of the offending content (if any), a description of the abuse, and your contact details. We will investigate and take appropriate action.
- Security issues in Vezraa itself. If you believe you have found a vulnerability in our Service, see our Security page for our coordinated disclosure policy. Please do not perform invasive testing of our production infrastructure outside the scope described there.
10. Enforcement
We may investigate any actual or suspected violation of this AUP and take any action we consider appropriate, including:
- Removing or disabling access to offending content;
- Suspending or terminating accounts, with or without notice;
- Forfeiting any prepaid balance for accounts terminated for violation;
- Reporting violations to law-enforcement authorities;
- Pursuing all other available legal remedies.
Violation of this AUP is grounds for immediate termination under the Terms and may result in civil and criminal liability.
11. Changes
We may update this AUP from time to time. The current version is always available at vezraa.com/acceptable-use with the “Last updated” date and version stamp at the top of this page. Material changes will be notified by email and/or a prominent notice in the Service at least thirty (30) days before they take effect.
12. Contact
For questions about this AUP, contact udayakirantumma@gmail.com. To report abuse, email udayakirantumma@gmail.com. To report a security issue, see our Security page.
See also: Terms of Service, Privacy Policy, Disclaimer.