Acceptable Use Policy
This Acceptable Use Policy ("AUP") governs your use of the secninjaz.com website and any services, tools, or platforms we offer through it (collectively, "the Platform"). This policy exists to protect our users, our infrastructure, and the broader internet ecosystem.
By using our services, you agree to comply with this AUP. Violation may result in immediate suspension, termination, and/or referral to law enforcement.
1. Authorized Use
Our vulnerability assessment tool is designed for legitimate, authorized security assessment of web domains. Authorized use of this tool includes:
- Scanning domains you own — Vulnerability assessment of websites and web applications registered to you or your organization.
- Scanning domains you are authorized to test — Domains for which you hold explicit, documented authorization from the domain owner (e.g., signed penetration testing agreement, written authorization letter, or equivalent).
- Using scan results for remediation — Reviewing vulnerability findings to improve the security posture of your own systems.
- Exporting reports for internal use — Downloading and sharing reports within your organization for security improvement purposes.
2. Domain Authorization Requirement
This is the most critical requirement of our vulnerability assessment tool.
Before any scan is initiated, you must verify domain ownership through one of the following methods:
| Method | Requirement |
|---|---|
| DNS TXT Record | Add a verification token as a TXT record to your domain's DNS |
| HTML Meta Tag | Add a verification meta tag to your website's HTML |
| File Upload | Host a verification file at /.well-known/securescan-verify.txt |
Additionally:
- Your email address must belong to the domain being scanned (exact match or subdomain).
- If you are scanning on behalf of a client, you must use an email address associated with the target domain or have the domain owner complete verification.
Submitting a domain for scanning constitutes your legal representation that you are authorized to conduct a security assessment of that domain.
3. Prohibited Activities
The following activities are strictly prohibited:
3.1 Unauthorized Scanning
- Submitting domains you do not own or have written authorization to scan.
- Attempting to bypass domain ownership verification through any means.
- Using email addresses that do not belong to you or the target domain.
- Spoofing DNS records, email headers, or verification tokens to fraudulently pass verification.
3.2 Platform Abuse
- Exceeding rate limits or attempting to circumvent rate-limiting controls.
- Launching denial-of-service (DoS/DDoS) attacks against the Platform.
- Automated mass-scanning through bots, scripts, or unauthorized API usage.
- Attempting to access other users' scan results, reports, or session data.
- Probing, scanning, or testing the vulnerability of the Platform itself without written authorization from SecNinjaz.
3.3 Malicious Use of Results
- Using vulnerability findings to exploit, attack, or compromise the scanned domain or any other system.
- Sharing vulnerability details of domains you do not own with unauthorized parties.
- Using scan results for extortion, blackmail, or coercion.
- Publishing vulnerability details of third-party domains without the owner's consent and without following responsible disclosure practices.
- Selling or trading vulnerability data obtained through our Platform.
3.4 Identity Fraud
- Impersonating another person or organization.
- Providing false or misleading information during email verification or domain authorization.
- Creating multiple sessions to circumvent usage limits or bans.
3.5 Legal Violations
Using the Platform for any activity that violates:
- The Information Technology Act, 2000 (India)
- The Digital Personal Data Protection Act, 2023 (India)
- The Indian Penal Code / Bharatiya Nyaya Sanhita
- Any applicable local, state, national, or international law
Scanning domains located in jurisdictions where such scanning is prohibited without additional authorization.
3.6 Interference
- Attempting to reverse engineer, decompile, or extract source code from the Platform.
- Introducing malware, viruses, trojans, or any malicious code into the Platform.
- Manipulating scan results, findings, or risk scores.
- Interfering with the Platform's infrastructure, scanning engines, or reporting systems.
4. Usage Limits
To ensure fair access and platform stability, the following limits apply:
| Resource | Limit |
|---|---|
| API requests (global) | 30 requests per minute per session |
| OTP email sends | 3 per minute per email address |
| OTP verification attempts | 5 per 10 minutes per email address |
| Concurrent scans | As determined by system capacity |
| Report access | 72 hours from generation |
| Scheduled scan frequency | Daily, weekly, biweekly, or monthly |
Exceeding these limits will result in temporary throttling (HTTP 429). Persistent abuse will result in session termination.
5. Monitoring & Enforcement
5.1 What We Monitor
To enforce this AUP, we monitor:
- Request volumes and patterns (rate limiting)
- Domain verification attempts (fraud detection)
- IP addresses and session behaviour (abuse detection)
- Anomalous scanning patterns
All monitoring is automated and uses PII-masked logs. We do not manually review individual user data unless a potential violation is detected.
5.2 Enforcement Actions
Violations of this AUP may result in, at our sole discretion:
| Severity | Action |
|---|---|
| Minor (e.g., exceeding rate limits) | Temporary throttling; warning |
| Moderate (e.g., repeated rate limit abuse, suspicious patterns) | Session termination; temporary IP block |
| Severe (e.g., unauthorized scanning, verification bypass) | Permanent ban; data deletion; report to authorities |
| Critical (e.g., using results for exploitation, identity fraud) | Permanent ban; report to CERT-In and/or law enforcement |
5.3 Reporting Violations
If you become aware of any violation of this AUP by another user, please report it to report-abuse@secninjaz.com.
6. Your Responsibilities
As a user of our Platform, you are responsible for:
- Ensuring you have proper authorization before initiating any scan.
- Maintaining the confidentiality of your session token.
- Safeguarding vulnerability data contained in scan reports.
- Following responsible disclosure practices if you identify vulnerabilities.
- Complying with all applicable laws and regulations.
- Reporting any suspected unauthorized use or security incidents to us promptly.
7. Indemnification
You agree to indemnify and hold harmless SecNinjaz from any claims, damages, or liabilities arising from your violation of this AUP, including but not limited to:
- Legal costs arising from unauthorized scanning
- Damages claimed by third parties whose domains were scanned without authorization
- Costs of investigating and responding to your AUP violations
8. Changes to This Policy
We may update this AUP to address new types of abuse or changes in our services. Material changes will be posted on our website. Continued use constitutes acceptance.
9. Contact
For questions about this Acceptable Use Policy:
- Abuse Reports: report-abuse@secninjaz.com
- General Enquiries: contact@secninjaz.com
- Legal: legal@secninjaz.com
- Website: https://secninjaz.com
This Acceptable Use Policy was last reviewed and published on 25 March 2026.