Acceptable use

Acceptable Use Policy

Draft · last updated 2026-05-10 · subject to review before launch.

1. Authorization is required

You may submit a domain to Leakwarden only if you own it, have written permission from the owner, or are scanning a target listed on a public bug-bounty program whose rules permit unsolicited scanning.

Every paid scan requires an explicit attestation checkbox. Every continuous-monitoring subscription requires DNS-based ownership proof before the first scan runs.

2. Disallowed targets

  • Government, military, or intelligence-service domains (.gov, .mil, equivalent ccTLDs) without a documented bounty program.
  • Financial-institution domains regulated by FFIEC, PCI-DSS Level 1, or equivalent regimes — without authorization.
  • Healthcare or critical-infrastructure operators where a scan could trigger regulatory reporting obligations on the operator.
  • Any domain you do not have authorization to test under §1.

3. Rate and conduct limits

  • ≤2 requests / second per target host, enforced server-side.
  • Premium scans honor robots.txt. Free-tier surface checks query a fixed pre-known path list and do not crawl.
  • A single domain may be queued at most once per hour by a customer.
  • Re-selling raw scan output is prohibited.

4. Disclosure pipeline (if active)

If we identify a finding on a domain that did not request a scan through us — for example via the certificate-transparency-log monitoring pipeline — our outreach is strictly informational and free. We will:

  • Send the disclosure to standard contact addresses (security@, abuse@, WHOIS contact) only.
  • Allow at minimum 30 days before any public mention.
  • Honor opt-out (STOP) requests permanently.
  • Never condition the disclosure on payment.

5. Account termination

Violation of any of the above is grounds for immediate account termination, refund of unused credits, and (where applicable) notification to the affected target.

6. Reporting abuse

If you believe Leakwarden has scanned a domain you control without authorization, email [email protected]. We respond within one business day and will block the offending account.