Acceptable Use Policy

1. Purpose

This Acceptable Use Policy ("AUP") governs how you may use the VeilScan service. It supplements the Terms of Service. Violations may result in immediate account suspension without refund.

2. Permitted Use

You may use VeilScan to:

• Scan infrastructure you own outright (domains registered to you or your organisation)
• Scan infrastructure you have explicit written permission to test (e.g. a client engagement, a cloud provider's permitted testing scope)
• Understand your external attack surface and prioritise remediation
• Generate security reports for internal stakeholders, auditors, or compliance purposes
• Demonstrate security posture to customers or partners using generated reports

3. Prohibited Use

You must not use VeilScan to:

3.1 Unauthorised scanning

• Scan infrastructure you do not own or lack written authorisation to test
• Enumerate, fingerprint, or probe systems belonging to third parties without permission
• Circumvent scope restrictions set in your Rules of Engagement

3.2 Harmful or malicious use

• Use vulnerability findings to attack, compromise, or extort any party
• Weaponise scan output or exploit paths for offensive purposes outside an authorised engagement
• Disclose findings about third-party infrastructure without the owner's consent

3.3 Platform abuse

• Attempt to reverse-engineer, decompile, or extract the scan methodology or proprietary tools
• Automate account creation, share credentials, or exceed plan quotas by artificial means
• Attempt to probe, test, or attack VeilScan's own infrastructure
• Interfere with scans belonging to other customers

3.4 Legal violations

• Use the Service in violation of the Computer Misuse Act 1990, the US CFAA, or equivalent laws in your jurisdiction
• Scan critical national infrastructure, government systems, or healthcare infrastructure without explicit legal authority
• Use the Service to facilitate espionage, state-sponsored attacks, or organised crime

4. Rules of Engagement Requirement

Every customer must sign a Rules of Engagement document before scanning begins. The RoE records your authorisation and the specific domains in scope. Scanning domains not listed in your current RoE is a violation of this AUP regardless of your intentions.

5. Responsible Disclosure

If VeilScan discovers a critical vulnerability in your infrastructure, we will notify you via your registered email immediately (before the report is finalised) and send a Slack alert if configured. We do not disclose your findings to any third party. You are responsible for remediating findings within a timeframe appropriate to their severity.

6. Scan Scope Limits

All scans are limited to external, unauthenticated reconnaissance of domains you have authorised. VeilScan will not:

• Attempt to log in to or authenticate against any system
• Exploit vulnerabilities to gain access (scans are read-only and non-destructive by design)
• Scan internal network ranges or RFC 1918 IP addresses
• Initiate denial-of-service conditions intentionally

Despite these precautions, aggressive scanning can occasionally cause minor load on target systems. You accept this risk by submitting domains for scanning.

7. Enforcement

We reserve the right to suspend or terminate accounts that we reasonably believe are violating this AUP, with or without notice depending on severity. Suspected criminal activity will be reported to law enforcement. We cooperate fully with lawful requests from authorities.

8. Reporting Violations

If you believe someone is using VeilScan to scan your infrastructure without authorisation, email us at support@veilscan.net with as much detail as possible (IP addresses, timestamps, domain names). We take these reports seriously and will investigate within 24 hours.

9. Contact

AUP questions: support@veilscan.net
CodeCrypse IT Solutions LTD, England & Wales