1. TL;DR
- Scan results are informational, not a guarantee.
- The Service is best-effort; it does not find every issue.
- AI-generated explanations and fix prompts can be wrong.
- Scores and severity ratings are estimates.
- A clean scan is not a security audit, compliance certification, or insurance.
- You are responsible for verifying findings and acting on them.
- For full legal terms, see our Terms of Service.
2. Informational use only
Vezraa is an automated security and production-readiness scanner. Every scan result, finding, severity rating, AI-generated explanation, recommended remediation, compliance tag, and trust-badge calculation produced by the Service is informational and is provided for educational and operational guidance only. Nothing the Service produces is, or should be treated as, an audit opinion, legal opinion, regulatory determination, certification, attestation, or other formal professional output.
3. Best-effort, not exhaustive
Vezraa runs a defined set of automated checks against a target you submit. Those checks are limited by:
- What is observable from outside the application without authenticated access;
- The time and compute budget allocated to a scan;
- The current state of our rule set and signature database;
- The behavior of any WAF, CDN, or rate-limiter that sits in front of your application;
- Network conditions (DNS errors, intermittent failures, geographic blocking) at the time of the scan.
A scan that produces no findings does not mean no findings exist. Real security assurance requires multiple complementary tools, manual code and architecture review, authenticated testing, and ongoing monitoring.
4. False positives & false negatives
Like all automated scanners, Vezraa can produce false positives (flagging items that are not actually vulnerabilities or are intentional design choices) and false negatives (failing to flag items that are vulnerabilities).
Triage every finding before acting. Validate with your application's own context — for example, a missing security header may be acceptable if a stricter equivalent is set elsewhere in the stack, or an “exposed” admin path may be a deliberate unauthenticated landing page. Use the “acknowledge,” “snooze,” and “custom rules” features to communicate context to your team.
5. AI-generated content
Vezraa uses third-party large-language-model APIs to generate executive summaries and remediation prompts (“fix prompts”). AI-generated content may be inaccurate, incomplete, out of date, biased, inconsistent, or misleading. It may suggest remediation steps that do not apply to your stack, that introduce new bugs, or that conflict with your application's requirements.
Specifically:
- Treat AI explanations as a summary, not a complete analysis. Read the underlying finding evidence before acting.
- Treat AI-generated “fix prompts” as a starting point to paste into your own coding workflow. Do not deploy the resulting changes without review and testing.
- Be especially cautious with AI suggestions that touch authentication, authorization, cryptography, payment flows, or data handling.
- We do not warrant that AI output is accurate, current, or fit for any purpose. See Section 12.
6. Scoring & severity ratings
The 0–100 overall score and per-category sub-scores are heuristic aggregations designed to give you a quick read on relative posture. They are not calibrated to any external standard such as CVSS, the OWASP Risk Rating Methodology, or any regulator's framework. Severity ratings (critical, high, medium, low, info) are also heuristics based on the type of issue, common impact patterns, and the rule that produced the finding — not a determination of actual exploitability in your environment.
Where we display a CVSS score, OWASP Top 10 reference, or CWE ID, those are derived from public databases and are best-effort. They may not reflect the latest version of the referenced framework.
7. Trust badges
Vezraa trust badges (issued for scans scoring 80+ with no critical or high findings on Pro and Max plans) are an optional self-reported signal that your application passed a Vezraa scan with the criteria above on a specific date. A trust badge:
- Is not a third-party security audit;
- Is not a compliance certification (it is not SOC 2, ISO 27001, PCI DSS, HIPAA, etc.);
- Is not insurance against breach;
- Reflects only the state of the application at the time of the scan that earned the badge.
Badges expire ninety (90) days after issue and may be revoked at any time per the conditions in our Terms.
8. Third-party data
The Service incorporates and surfaces data from third-party sources, including the National Vulnerability Database (NVD), public certificate-transparency logs, public DNS resolvers, public WHOIS registries, Google PageSpeed Insights, Have I Been Pwned, and others. We do not control these sources, do not guarantee their accuracy, completeness, or timeliness, and are not responsible for their content. See our Subprocessor List for the current set.
9. Not professional advice
Nothing produced by the Service constitutes:
- Legal advice — including but not limited to advice about GDPR, the DPDP Act, CCPA, HIPAA, PCI DSS, or any other regulation;
- Compliance certification or attestation;
- Cybersecurity professional services such as penetration-testing reports, red-team engagements, threat-modeling deliverables, or expert witness opinions;
- Financial, accounting, tax, medical, or insurance advice.
For matters that require professional judgment, engage qualified professionals in the relevant jurisdiction.
10. Not for high-risk applications
The Service is not designed, intended, or authorized for use in any application requiring fail-safe performance, including life-support systems, nuclear facilities, aircraft navigation or communication, air-traffic control, weapons systems, medical devices, or any application in which the failure of the Service could lead to death, personal injury, or severe physical, property, or environmental damage. Do not use the Service as a last-line-of-defense control in such systems.
11. Your responsibility
You are solely responsible for:
- Verifying authorization to scan any target you submit;
- Triaging and validating findings before acting on them;
- Reviewing AI-generated content and remediation steps before deploying them;
- Implementing remediations safely and testing them in a staging environment;
- Maintaining your own backups, monitoring, and incident-response capability;
- Engaging qualified professionals where the matter requires their judgment;
- Compliance with all laws applicable to you and to the systems you scan.
12. Warranty disclaimer & liability
THE SERVICE AND ALL OUTPUT ARE PROVIDED “AS IS,” “AS AVAILABLE,” AND “WITH ALL FAULTS,” WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND. The full disclaimer of warranties and limitation of liability applicable to your use of the Service is set out in the Terms of Service, including the aggregate-liability cap. Nothing in this Disclaimer page expands or limits the obligations or remedies set out there.
13. Contact
Questions about a finding, a score, or AI-generated output? Email udayakirantumma@gmail.com. Believe a finding is a false positive that we should improve? Send the scan ID and your reasoning to udayakirantumma@gmail.com with subject “False positive” — feedback like this directly improves the rule set for everyone.
See also: Terms of Service, Privacy Policy, Acceptable Use Policy, Security.