buggy.runbuggy.run
CAPABILITIES
Security Audit
56+ checks on your live site
PLATFORM
LoginStart auditing

Platform Terms

These Platform Terms govern access to and use of buggy.run, including the website, web app, APIs, agent workflows, audit queues, monitoring workflows, audit outputs, billing flows, integrations, documentation, and related services.

By creating an account, accepting an invitation, selecting an account-registration acceptance checkbox, subscribing, creating or using an API key, submitting an API request, starting or scheduling an audit, connecting an integration, or otherwise using buggy.run, you accept these terms on behalf of yourself and any organization you represent.

Important authorization notice. buggy.run is a technology platform and service provider only. You, not buggy.run, select the targets, submit the instructions, decide whether testing is authorized, control the scope, provide credentials or project context, use the outputs, and are responsible for all consequences of each audit, scan, monitoring task, workflow, instruction, and output. buggy.run does not grant permission to test any website, domain, application, account, API, infrastructure, repository, network, service, or system.

These terms incorporate the buggy.run Acceptable Use Policy, any applicable order form, any applicable privacy notice or data processing terms, and any other written terms that expressly reference these Platform Terms.

1. Parties, account registration acceptance, and authority

In these terms, "buggy.run", "we", "us", and "our" refer to the operator of the buggy.run service. "Customer", "you", and "your" refer to the person or organization accessing or using the service. "Authorized User" means any person who accesses buggy.run through your account, workspace, organization, invitation, API key, session, credential, integration, or other access method.

If you create an account or use buggy.run for a company, client, employer, customer, agency, government body, or other organization, you represent and warrant that you have authority to bind that organization to these terms. If you do not have that authority, you may not use buggy.run for that organization, and you accept these terms in your individual capacity to the maximum extent permitted by law.

You are responsible for all acts and omissions of your Authorized Users, administrators, employees, contractors, agents, invitees, customers, clients, and any person using your account, credentials, sessions, tokens, API keys, or integrations.

The registration acceptance is intended to cover your account and all current and future use of buggy.run from that account, workspace, organization, API key, integration, or session, subject to these terms. buggy.run may also display reminders, notices, or warnings inside the product, but those reminders do not limit, replace, or reduce your continuing obligations under these terms.

2. Definitions

"Audit" means any scan, security review, agent workflow, continuous monitoring task, scheduled task, prompt, API call, instruction, test, analysis, report, finding, or other activity performed through or using buggy.run.

"Target" means any website, domain, subdomain, URL, application, API, cloud asset, repository, account, credential, log, network endpoint, infrastructure, service, system, or other asset submitted to, connected to, analyzed by, or tested through buggy.run.

"Customer Content" means website metadata, domain metadata, Target information, prompts, instructions, project names, audit context, credentials, uploaded files, logs, configuration information, vulnerability information, code snippets, repository information, and other materials you submit, connect, transmit, or make available to buggy.run.

"Audit Output" means any result, message, summary, finding, severity label, recommendation, remediation suggestion, code suggestion, risk explanation, report, artifact, or other output generated or surfaced by buggy.run.

"Authorization Evidence" means written permission, ownership evidence, domain verification, bug bounty scope confirmation, customer authorization, employer authorization, contract, statement of work, ticket, email, rules of engagement, provider approval, or other evidence showing that an Audit is authorized and within scope.

"Rules of Engagement" or "ROE" means the permitted scope, timing, techniques, rate limits, accounts, credentials, data handling requirements, exclusions, escalation contacts, stop-testing conditions, and other constraints applicable to an Audit.

3. Service scope and provider role

buggy.run provides agent-assisted security review, audit, and continuous monitoring workflows for Targets and project context that you submit or connect to the service.

The service may queue Audits, call AI models, use automated tools, process Customer Content, summarize findings, and surface suggested remediation steps. The service is not a substitute for a complete security program, manual penetration test, compliance audit, legal review, incident response service, managed security service, or professional advice.

buggy.run acts only as a technology platform and service provider. buggy.run is not the owner, operator, controller, requester, sponsor, approver, legal authorizer, or beneficiary of any Target unless expressly stated in a separate written agreement signed by buggy.run.

buggy.run does not become your employee, agent, partner, joint venturer, fiduciary, legal representative, security officer, penetration tester of record, or professional adviser merely because you use the service.

You are solely responsible for deciding whether and how to use the service, which Targets to submit, what instructions to provide, what credentials to use, whether an Audit is within scope, and whether any Audit Output should be used, disclosed, remediated, escalated, or ignored.

4. Continuing authorization representation

Your authorization to test is a material condition of these terms. By creating an account and each time you access or use buggy.run, you make a continuing representation and warranty that you have all rights, permissions, consents, approvals, and authorizations required for every Target, Customer Content item, credential, instruction, API request, scheduled task, monitoring workflow, and Audit submitted, configured, started, or permitted through your account.

This continuing representation applies to all current and future Audits, scans, workflows, monitoring tasks, scheduled jobs, agent instructions, API requests, integrations, Customer Content, Targets, and Audit Outputs associated with your account, workspace, organization, API keys, sessions, and Authorized Users. This representation applies even if buggy.run does not ask for a separate per-Audit checkbox, signature, attestation, or confirmation.

For every Target and every Audit, you represent and warrant that:

1. you own, control, administer, or are expressly authorized by the applicable owner or controller to test the Target; 2. your authorization is valid, current, not revoked, not disputed, and broad enough to cover the specific Audit, tools, timing, frequency, methods, credentials, automation, monitoring, and instructions you request; 3. the Audit is permitted by applicable law, contract, bug bounty program rules, vulnerability disclosure policy, platform policy, cloud provider policy, employer policy, customer authorization, and third-party service terms; 4. you will comply with all ROE, scope limits, rate limits, blackout windows, data handling rules, disclosure requirements, and stop-testing obligations; 5. you will not submit any Target, credential, prompt, file, log, API call, integration, or instruction that is outside the scope of your authorization; 6. you will maintain Authorization Evidence and provide it to buggy.run on request; 7. you will immediately stop, cancel, or modify any Audit if authorization expires, is revoked, is disputed, becomes unclear, or no longer covers the requested activity; and 8. you will not rely on buggy.run's technical ability to run an Audit as proof that the Audit is lawful, authorized, safe, or within scope.

If you cannot make these representations for a Target, Customer Content item, credential, instruction, workflow, or Audit, you must not submit it to buggy.run and must not use buggy.run for that activity.

buggy.run does not independently verify your ownership, control, permission, or legal authority for every Target. The fact that buggy.run accepts a Target, creates a project, queues an Audit, generates an output, fails to block a workflow, provides an integration, or provides a technical capability does not mean that buggy.run has approved the Target, verified authorization, expanded your permitted scope, or assumed responsibility for the Audit.

5. Customer responsibility for Audits and consequences

You are solely responsible for all Audits you request, configure, approve, schedule, automate, or permit through buggy.run, including Audits started by Authorized Users, API keys, integrations, automations, or compromised credentials.

To the maximum extent permitted by law, you accept all risks and consequences arising from or related to your Audits, Targets, instructions, Customer Content, credentials, use of Audit Outputs, and failure to comply with these terms. These consequences may include operational disruption, downtime, degraded performance, data exposure, data loss, account lockouts, third-party rate limiting, third-party account suspension, cloud provider action, vulnerability disclosure obligations, legal claims, regulatory claims, contractual claims, customer complaints, remediation costs, investigation costs, incident response costs, law enforcement inquiries, and claims by Target owners or affected third parties.

You are responsible for monitoring Audits while they run, stopping unsafe or unauthorized activity, validating Audit Outputs before relying on them, and ensuring that any remediation, disclosure, escalation, or follow-up testing is lawful and authorized.

You must not use buggy.run to create the appearance that buggy.run, rather than you, authorized, requested, conducted, sponsored, controlled, or accepted responsibility for an Audit.

6. Account security

You are responsible for maintaining the confidentiality of account credentials, magic links, sessions, API keys, site credentials, tokens, integrations, and any other access mechanism used with buggy.run.

You must promptly notify us of suspected unauthorized use of your account or any security incident involving buggy.run access. We may suspend, limit, throttle, revoke, or terminate access if we reasonably believe an account, credential, project, Target, instruction, or workflow creates risk to buggy.run, you, another customer, a Target owner, or any third party.

You must use least-privilege credentials where possible and must not submit credentials, secrets, tokens, cookies, private keys, or other access material that you are not authorized to use for the requested Audit.

7. Acceptable use and restricted activity

You must comply with the Acceptable Use Policy. You must not use buggy.run for unlawful access, unauthorized testing, evasion, destructive activity, denial-of-service activity, malware, credential attacks, phishing, spam, bot activity, social engineering, data exfiltration, persistence, lateral movement, unauthorized payloads, or any activity that would be unlawful or harmful if performed manually by you.

We may refuse, block, limit, pause, throttle, review, or terminate any workflow that appears to target systems you do not own or control, attempts restricted activity, creates excessive load, violates the Acceptable Use Policy, or creates operational, legal, regulatory, security, reputational, or third-party risk.

8. Customer Content and license

You retain ownership of Customer Content. You represent and warrant that you have all rights, licenses, permissions, and authorizations necessary to submit, connect, transmit, process, analyze, store, and use Customer Content through buggy.run.

You grant buggy.run a worldwide, non-exclusive, limited license to host, process, transmit, analyze, display, reproduce, create derived Audit Outputs from, and otherwise use Customer Content as necessary to provide, secure, troubleshoot, improve, enforce, and support the service.

You must not submit Customer Content that you are not legally allowed to provide or process through the service, including third-party confidential information, regulated data, personal data, customer data, production secrets, or proprietary materials unless you have authorization and accept the associated risk.

9. Sensitive data, secrets, and credentials

You are responsible for minimizing Customer Content and avoiding unnecessary submission of production secrets, private keys, health data, payment card data, government identifiers, customer data, regulated data, highly sensitive personal information, or third-party confidential information.

If you submit secrets, credentials, tokens, logs, files, or sensitive data to buggy.run, you represent that you are authorized to do so and that the submission is necessary and lawful for the requested Audit.

If buggy.run identifies or surfaces a secret, credential, vulnerability, sensitive finding, or possible data exposure, you are responsible for validating the issue, rotating affected credentials, notifying affected parties where required, preserving evidence where appropriate, and taking remediation steps.

10. Audit Outputs and AI limitations

Audit Outputs, agent messages, severity labels, summaries, code suggestions, risk explanations, reports, and remediation suggestions may be incomplete, inaccurate, outdated, duplicated, misleading, or context-dependent.

You are responsible for independently reviewing and validating all Audit Outputs before relying on them, deploying code, changing infrastructure, disclosing vulnerabilities, making business decisions, making legal or compliance decisions, or claiming that a system is secure, compliant, remediated, or tested.

We do not guarantee that buggy.run will find every vulnerability, produce any specific finding, meet any compliance standard, prevent a breach, validate a remediation, or make any system secure.

11. Billing, trials, and taxes

Paid plans, project limits, trial terms, support levels, renewal dates, and prices are shown in the product, checkout flow, order form, or subscription page. Unless stated otherwise, subscriptions renew automatically until cancelled.

You authorize us and our payment processors to charge applicable fees, taxes, renewals, usage charges, and other amounts using the payment method you provide. Fees are non-refundable except where required by law or expressly stated in writing.

We may change plan features, prices, and billing terms prospectively. If a change materially affects an active subscription, we will provide notice where legally required.

12. Confidentiality and security

Each party may receive non-public information from the other party. The receiving party will use reasonable care to protect confidential information and will use it only for purposes allowed by these terms.

No internet service, AI system, queue, website monitor, hosted application, integration, or automated security tool can be guaranteed secure or error-free. You are responsible for using least-privilege credentials, limiting submitted secrets, maintaining backups, monitoring your systems, and maintaining independent security controls.

13. Third-party services

buggy.run may rely on third-party infrastructure, AI providers, payment processors, email services, DNS or hosting providers, analytics providers, logging providers, monitoring providers, and other vendors.

Third-party services may have their own terms and privacy practices. We are not responsible for third-party services outside our control, and we may change providers where needed to operate, secure, or improve the service.

You are responsible for ensuring that your use of buggy.run complies with the terms, policies, scope limits, and technical limits of any third-party service, cloud provider, bug bounty program, customer system, employer system, or platform involved in your Audit.

14. Platform controls, suspension, and termination

We may investigate suspected violations and may suspend, limit, throttle, pause, terminate, remove content, preserve evidence, require Authorization Evidence, or block activity if we reasonably believe that your account, Target, Customer Content, instruction, Audit, or use of Audit Outputs violates these terms or creates risk.

We may report or disclose activity, Customer Content, account information, Audit metadata, or related records where we believe disclosure is necessary to prevent harm, comply with law, respond to legal process, enforce rights, investigate abuse, protect the service, or cooperate with affected providers, customers, regulators, law enforcement, or third parties.

You may stop using the service at any time. Termination does not relieve you of obligations incurred before termination or obligations intended to survive.

15. Disclaimers

The service is provided "as is" and "as available". To the maximum extent permitted by law, we disclaim all warranties, including implied warranties of merchantability, fitness for a particular purpose, title, non-infringement, uninterrupted operation, accuracy, reliability, security, and availability.

We do not warrant that Audits will be error-free, that Audit Outputs will identify all issues, that integrations will remain available, that the service will meet your requirements, or that the service will satisfy any regulatory, contractual, procurement, insurance, certification, or compliance requirement.

16. Limitation of liability

To the maximum extent permitted by law, buggy.run will not be liable for indirect, incidental, special, consequential, exemplary, punitive, or enhanced damages, or for lost profits, lost revenue, loss of goodwill, loss of data, security incidents, business interruption, downtime, remediation costs, incident response costs, investigation costs, third-party claims, or cost of substitute services.

To the maximum extent permitted by law, our total aggregate liability for all claims relating to the service will not exceed the greater of 100 USD or the amounts you paid to buggy.run for the service in the three months before the event giving rise to the claim.

The limitations in this section apply regardless of the legal theory asserted and even if a remedy fails of its essential purpose, to the maximum extent permitted by law.

17. Indemnity

You will defend, indemnify, and hold harmless buggy.run and its owners, directors, officers, employees, contractors, vendors, service providers, affiliates, successors, and assigns from and against any claims, demands, actions, investigations, damages, losses, liabilities, penalties, fines, costs, and expenses, including reasonable attorneys' fees, arising from or related to:

1. your Customer Content; 2. your Targets, Audits, instructions, credentials, API requests, integrations, monitoring tasks, or use of Audit Outputs; 3. your violation of these terms or the Acceptable Use Policy; 4. your violation of law, contract, policy, third-party rights, bug bounty rules, vulnerability disclosure rules, cloud provider terms, or platform terms; 5. any Audit, scan, test, monitoring task, instruction, or workflow requested, configured, scheduled, automated, or permitted by you without proper authorization or outside permitted scope; or 6. claims by Target owners, affected users, third-party providers, customers, employers, regulators, or law enforcement relating to your use of buggy.run.

18. Compliance, export, and sanctions

You are responsible for complying with all laws and regulations that apply to your access to and use of buggy.run, including computer misuse laws, privacy laws, data protection laws, export control laws, sanctions rules, anti-corruption laws, and security testing restrictions.

You must not use buggy.run in violation of sanctions, export controls, embargoes, or restrictions applicable to you, buggy.run, any third-party provider, or any Target.

19. Changes to terms and renewed acceptance

We may update these terms from time to time. The updated terms become effective when posted or when we otherwise notify you, unless a later date is stated.

If we make material changes, we may require renewed acceptance through the product, account page, checkout flow, login flow, or another reasonable mechanism. Continued use of buggy.run after updated terms become effective means you accept the updated terms.

We may retain acceptance records, including user ID, account ID, workspace ID, organization ID, email, IP address, user agent, timestamp, accepted document versions, acceptance text, and related metadata for service operation, security, enforcement, compliance, support, and defense.

20. Governing law and disputes

Unless a written order form states otherwise, these terms are governed by the laws of the Republic of Türkiye, excluding conflict-of-law rules. The courts and enforcement offices of Istanbul, Türkiye have exclusive jurisdiction over any dispute arising from them.

To the maximum extent permitted by law, disputes must be brought on an individual basis and not as a class, consolidated, collective, or representative action. Either party may seek urgent injunctive relief for security, intellectual property, unauthorized access, confidentiality, or service-abuse issues.

21. Contact

Questions about these terms can be sent to hello@bearer.studio.

Reports of suspected security issues or abuse can be sent to hello@bearer.studio.

22. Survival

Sections that by their nature should survive termination will survive, including provisions concerning authorization, Customer responsibility, Customer Content licenses needed for retained records, restrictions, confidentiality, disclaimers, limitations of liability, indemnity, compliance, disputes, and enforcement.

buggy.run

AI-driven security audits for modern teams.

Product

  • Security audit
  • Breaches
  • The Index
  • Pricing

Legal

  • Acceptable use
  • Platform terms

© 2026 buggy.run. All rights reserved.