Acceptable Use Policy

1. Authorization is required

You may submit a domain to Leakwarden only if at least one of the following is true: you own the domain, you have written permission from the owner to test it, or the target is listed on a public bug-bounty program whose rules permit unsolicited scanning. "Written permission" means an email or signed document from someone authorized to grant testing access — a verbal okay from a coworker is not enough.

Every paid scan requires an explicit attestation checkbox. Every continuous-monitoring subscription requires DNS-based ownership proof (TXT record or /.well-known/<random>.txt) before the first scan runs. We rely on your attestation — if you misrepresent authorization, the legal consequences are yours, and we cooperate with lawful investigations.

2. Disallowed targets

• Government, military, or intelligence-service domains (.gov, .mil, equivalent ccTLDs) without a documented bounty program.
• Financial-institution domains regulated by FFIEC, PCI-DSS Level 1, or equivalent regimes — without authorization.
• Healthcare or critical-infrastructure operators where a scan could trigger regulatory reporting obligations on the operator.
• Any domain you do not have authorization to test under §1.

3. Rate and conduct limits

• ≤2 requests / second per target host, enforced server-side.
• Premium scans honor robots.txt. Free-tier surface checks query a fixed pre-known path list and do not crawl.
• A single domain may be queued at most once per hour by a customer.
• Re-selling raw scan output is prohibited.

4. Disclosure pipeline (if active)

If we identify a finding on a domain that did not request a scan through us — for example via the certificate-transparency-log monitoring pipeline — our outreach is strictly informational and free. We will:

• Send the disclosure to standard contact addresses (security@, abuse@, WHOIS contact) only.
• Allow at minimum 30 days before any public mention.
• Honor opt-out (STOP) requests permanently.
• Never condition the disclosure on payment.

5. Account termination

Violation of any of the above is grounds for immediate account termination, refund of unused credits, and (where applicable) notification to the affected target.

6. Reporting abuse

If you believe Leakwarden has scanned a domain you control without authorization, email [email protected]. We respond within one business day, identify the responsible account, suspend it, and (where the abuse appears willful) preserve relevant logs for cooperation with law-enforcement requests.

7. Disclosure-pipeline opt-out

To preemptively opt out of unsolicited disclosure emails for a domain you control, email [email protected] with the apex domain. The opt-out is permanent and keyed by the apex.