Rules of Engagement

Purpose

The Rules of Engagement ("RoE") is a formal authorisation document that confirms:

• You have legal authority to authorise security testing of the listed domains
• You grant VeilScan (CodeCrypse IT Solutions LTD) permission to perform automated external reconnaissance against those domains
• You understand the nature and scope of the scanning activities
• You accept the terms of our Acceptable Use Policy

Without a signed RoE, the platform will not execute any scan. This is a hard technical control, not a policy aspiration.

What VeilScan Will Do

Within the scope defined by your signed RoE, VeilScan will:

• Enumerate subdomains of your root domain using passive and active DNS techniques
• Probe discovered hosts to identify live services and open ports
• Fingerprint technologies, frameworks, and software versions in use
• Run vulnerability checks against discovered services using known CVE signatures
• Check for common misconfigurations: exposed admin panels, open S3 buckets, missing security headers, TLS/SSL issues
• Check email security records: SPF, DMARC, DKIM
• Chain connected findings into exploit paths where evidence supports it
• Generate a scored PDF report with proof-backed findings and remediation guidance

What VeilScan Will Not Do

• Attempt to authenticate to or log in to any system
• Exploit discovered vulnerabilities to gain access to systems or data
• Scan IP addresses, domains, or subdomains not listed in the signed RoE
• Scan internal network ranges (RFC 1918) or private infrastructure
• Intentionally cause service disruption, data loss, or denial of service
• Retain any data accessed incidentally during scanning (e.g. credentials visible in scan output are noted as a finding and reported — not stored or used)

Scope Constraints

The RoE is tied to specific domain names. Scope is validated before every scan run:

• Root domain and all subdomains thereof are in scope once the root domain is listed and verified
• Domains must be verified via DNS TXT record before scanning begins
• IP addresses that resolve to in-scope domains are automatically included
• Any target that resolves outside the signed scope is hard-rejected by the scan pipeline

Duration and Renewal

The RoE covers ongoing continuous scanning for the duration of your active subscription. When you add new domains to your account, those domains are added to the RoE scope. If your subscription lapses, the RoE is considered suspended — no scans run on inactive accounts.

You may revoke authorisation at any time by removing a domain from your account. Revocation takes effect immediately; no further scans will include that domain.

Customer Responsibilities

By signing the RoE, you confirm that you:

• Own the domains listed, or have obtained written authorisation from the domain owner to conduct security testing
• Have the authority to grant this permission on behalf of your organisation
• Will notify us promptly if any domain should be removed from scope
• Will not hold VeilScan liable for minor operational impacts (e.g. increased load) that result from authorised scanning activities

Our Commitments

We commit to:

• Treating all findings as strictly confidential
• Alerting you to Critical findings immediately, before the report is generated
• Conducting all scanning activities within the agreed scope only
• Maintaining full audit logs of all scan activities
• Providing the RoE document in your dashboard for your records

Signing the RoE

The RoE is signed electronically in your dashboard after your subscription is activated. The process takes about 30 seconds. You will enter your name, confirm the domains in scope, and check the authorisation declaration. A timestamped copy is retained on your account.

Existing customers can review their signed RoE in the Settings section of the dashboard.

Questions

If you have questions about what is in scope or need to discuss a custom testing arrangement, contact us at hello@veilscan.net before signing.