Acceptable Use Policy
This Acceptable Use Policy explains what is and is not allowed when using buggy.run. It is designed to keep security testing authorized, controlled, and lawful.
This policy is incorporated into the buggy.run Platform Terms. By creating an account, accepting an invitation, selecting an account-registration acceptance checkbox, creating or using an API key, submitting an API request, starting or scheduling an audit, connecting an integration, or otherwise using buggy.run, you accept this policy on behalf of yourself and any organization you represent.
This policy applies continuously to every current and future use of buggy.run from your account, workspace, organization, API keys, integrations, sessions, and Authorized Users, even if buggy.run does not ask for a separate per-audit checkbox or confirmation.
1. Authorized targets only
You may use buggy.run only on websites, domains, subdomains, URLs, applications, APIs, infrastructure, repositories, accounts, credentials, logs, and systems that you own, control, administer, or are expressly authorized to assess.
You must be able to prove authorization on request. Scope limitations from contracts, customer approvals, employer approvals, bug bounty programs, vulnerability disclosure policies, cloud providers, hosting providers, platform providers, customers, clients, or third-party services apply to your use of buggy.run.
You must not submit a Target, credential, account, log, file, prompt, API request, integration, or instruction to buggy.run if your authorization is absent, expired, revoked, disputed, unclear, or insufficient for the requested activity.
2. Continuing authorization duty
By using buggy.run, you make a continuing representation that every audit, scan, monitoring task, scheduled job, agent instruction, API request, Target, credential, file, log, integration, and workflow initiated from your account is authorized, lawful, and within scope.
This duty continues after registration and applies to all future activity. If your authority changes, scope narrows, authorization is revoked, or a Target becomes disputed, you must stop using buggy.run for that Target and cancel any related monitoring, scheduled jobs, API calls, or workflows.
buggy.run is only a technology service provider. buggy.run does not grant permission to test any Target, verify every authorization, expand your scope, or accept responsibility for your testing.
3. Scope and rules of engagement
You must keep all testing within the applicable scope, timing, rate limits, data handling rules, credentials, accounts, exclusions, blackout windows, escalation paths, stop-testing rules, and other rules of engagement.
You must not exceed the access, functionality, methods, volume, frequency, or data use permitted by your authorization.
If a bug bounty program, customer agreement, employer instruction, vulnerability disclosure policy, cloud provider policy, or platform policy permits only certain testing methods, you must configure buggy.run accordingly.
4. No unlawful access or evasion
You must not use buggy.run to access, attempt to access, scan, exploit, bypass, enumerate, scrape, intercept, disrupt, test, or interact with any system without authorization.
You must not use buggy.run to evade authentication, authorization, access controls, rate limits, monitoring, logging, security tools, abuse controls, sanctions controls, export controls, IP restrictions, geographic restrictions, account limits, or usage limits.
You must not instruct buggy.run, an agent, an integration, or an API workflow to continue after you know or should know that activity is unauthorized, out of scope, harmful, unstable, or disputed.
5. No destructive, abusive, or weaponized activity
You must not request, automate, facilitate, or attempt denial-of-service activity, stress testing, destructive exploitation, data deletion, data corruption, ransomware behavior, malware deployment, credential stuffing, password spraying, phishing, spam, bot activity, social engineering, persistence, lateral movement, exfiltration, or unauthorized payload execution.
You must not use buggy.run to create, modify, deploy, host, distribute, test, improve, or operationalize malware, exploit kits, unauthorized persistence mechanisms, evasion mechanisms, credential theft tooling, phishing infrastructure, spam systems, or tools designed primarily for abuse.
You must not use buggy.run to harm, disrupt, degrade, overload, extort, surveil, impersonate, defraud, or unlawfully obtain access to any person, organization, account, network, service, or system.
6. Credentials, secrets, and sensitive data
You must use least-privilege credentials where possible and must not submit credentials, cookies, tokens, private keys, API keys, logs, files, or secrets that you are not authorized to use for the requested activity.
Do not submit production secrets, private keys, customer data, health data, payment card data, government identifiers, regulated data, highly sensitive personal information, or third-party confidential information unless you have authorization and have minimized the data to what is strictly necessary.
If buggy.run identifies a secret, sensitive finding, possible data exposure, or credential risk, you are responsible for validating it, rotating affected credentials, notifying affected parties where required, preserving evidence where appropriate, and taking remediation steps.
7. Third-party targets and bug bounty programs
You may use buggy.run for a third-party Target only if the applicable owner, controller, customer, employer, or bug bounty program expressly authorizes the specific activity you request.
You are responsible for reading and following the applicable scope, rules, safe harbor language, reporting process, prohibited techniques, data handling requirements, and disclosure restrictions.
A public bug bounty program, vulnerability disclosure policy, or security.txt file does not automatically authorize every scan, tool, frequency, credential use, payload, or agent instruction. You must ensure that your use of buggy.run fits the applicable authorization.
8. Continuous monitoring and scheduled jobs
Continuous monitoring, recurring scans, scheduled jobs, API automations, and integrations must remain authorized for the entire period they run.
You must cancel or update recurring activity if ownership changes, authorization expires, scope changes, a contract ends, a bug bounty scope changes, a customer revokes permission, or a provider changes its rules.
You are responsible for the timing, frequency, rate limits, scope, credentials, outputs, and consequences of all recurring activity.
9. Responsible testing
You must avoid production disruption, respect rate limits, stop testing if instability occurs, avoid unnecessary data access, avoid persistence, and avoid accessing, modifying, deleting, copying, or exfiltrating data that is not necessary and authorized.
You must not instruct an agent to take actions that would be illegal, unauthorized, deceptive, abusive, or harmful if performed manually by you.
You must promptly stop or modify testing if you discover that a Target is outside scope, credentials are over-privileged, sensitive data is exposed, instability occurs, authorization is unclear, or a third party objects.
10. Vulnerability disclosure
If you discover a vulnerability in a third-party system, you are responsible for following the applicable disclosure policy, contract, law, safe harbor conditions, customer instructions, and professional obligations.
Do not publicly disclose, exploit, sell, transfer, weaponize, or use vulnerabilities without authorization.
If you believe you found a vulnerability in buggy.run itself, report it to hello@bearer.studio and do not access, modify, delete, disrupt, or exfiltrate data that does not belong to you.
11. Platform integrity
You must not reverse engineer, probe, overload, crawl, scrape, resell, benchmark, copy, attack, disrupt, or abuse buggy.run except as allowed by law and the Platform Terms.
You must not interfere with queues, billing, authentication, authorization, cookies, rate limits, AI model safeguards, prompts, telemetry, logging, monitoring, security controls, or any technical measure used to operate or protect the service.
You must not misrepresent your identity, authorization, organization, Target ownership, scope, billing status, or purpose for using buggy.run.
12. High-risk targets
You must not use buggy.run for high-risk environments unless you have clear written authorization and the activity can be performed safely and lawfully. High-risk environments may include government systems, critical infrastructure, healthcare systems, emergency services, industrial control systems, telecom infrastructure, financial trading systems, payment systems, shared cloud infrastructure, public safety systems, and systems where testing may create elevated safety, legal, regulatory, or operational risk.
buggy.run may block, limit, review, throttle, or require Authorization Evidence for high-risk Targets or suspicious activity, but buggy.run has no obligation to detect every high-risk Target.
13. No false attribution or shifting responsibility
You must not state or imply that buggy.run authorized, requested, sponsored, approved, performed, certified, or accepted responsibility for your Audit, scan, disclosure, remediation, or security decision.
You must not use buggy.run's name, outputs, reports, logos, or interface to falsely claim that a Target is secure, compliant, certified, fully tested, breach-free, or approved by buggy.run.
14. Enforcement
We may investigate suspected violations and may suspend, limit, throttle, pause, terminate, remove content, preserve evidence, require Authorization Evidence, or block activity if we believe this policy was violated or risk exists.
We may cooperate with affected providers, customers, Target owners, regulators, law enforcement, or third parties where we believe disclosure is necessary to prevent harm, comply with law, enforce rights, investigate abuse, protect the service, or protect others.
Violations of this policy may also violate the Platform Terms and may trigger indemnity, termination, reporting, and other remedies available to buggy.run.
15. Contact
Questions about this policy can be sent to hello@bearer.studio.
Reports of suspected security issues or abuse can be sent to hello@bearer.studio.