Terms of Use
Last updated July 15, 2026
These Terms of Use (“Terms”) govern your access to and use of SiteThreat, including the public website, external exposure scanner, Site Threat Score, scan results, remediation guidance, downloadable reports, and related content or functionality (collectively, the “Service”). By accessing or using the Service, you agree to these Terms. If you do not agree, do not use SiteThreat.
The Service is intended for lawful, authorized, defensive website-security review. It is not an authorization to test any system, and it must not be used to identify, access, exploit, disrupt, or disclose information from systems you do not own or have explicit permission to assess.
1. Eligibility and authority
You may use the Service only if you are legally capable of entering into these Terms and are not prohibited from using the Service under applicable law. If you use SiteThreat for an organization, you represent that you have authority to act for that organization and to bind it to these Terms.
You are responsible for ensuring that your use is permitted by your employer, client, hosting provider, network provider, contract, internal policy, insurance requirements, and all applicable laws and regulations. SiteThreat does not verify your legal authority to act for a target system merely because you can enter its domain name.
2. Authorized use only
You may scan only domains, hostnames, websites, and systems that you own, administer, or have explicit permission to assess. Permission must come from a person or entity with authority over the target and must cover the type and timing of testing you perform.
Checking the authorization box is a representation by you that the required authority exists. It does not create permission, transfer responsibility to SiteThreat, or protect you from consequences if your representation is false or incomplete.
If you are a consultant, employee, contractor, managed-service provider, hosting provider, developer, or security professional acting for another party, you are responsible for confirming the scope of authorization before each scan. A prior relationship, public ownership record, administrative access, or technical ability to reach a system does not necessarily constitute permission to scan it.
3. Limited nature of the Service
SiteThreat performs a controlled set of external requests to public endpoints. Depending on the selected options, it may test the root domain, www, and mail hostnames for a defined list of sensitive paths and selected response headers.
The scanner may review HTTP status codes, final URLs, response headers, content types, request timing, and limited response samples. It may classify results, calculate a Site Threat Score, provide remediation guidance, and permit local download of report data.
The Service is not a comprehensive vulnerability scanner, authenticated assessment, source-code review, malware scanner, compliance audit, certification service, continuous monitoring system, or professional penetration test. It does not test every file, endpoint, hostname, protocol, parameter, application workflow, dependency, authentication boundary, configuration, or vulnerability class.
4. Acceptable defensive use
Subject to these Terms, you may use SiteThreat to review the external exposure posture of an authorized website, identify potentially public sensitive files, review selected browser-security headers, prioritize corrective work, verify remediation, and create internal reports for authorized operational or security purposes.
You may share results with the target owner, authorized administrators, security personnel, legal counsel, insurers, auditors, vendors, or other parties who reasonably need the information for remediation or risk management. You are responsible for protecting reports that contain sensitive URLs, server details, response samples, or evidence of exposure.
5. Prohibited conduct
You must not use SiteThreat to:
Scan without permission. Do not test a third-party domain, customer, competitor, public agency, employer, former employer, individual, or organization unless you have explicit authority from the system owner or an authorized representative.
Exploit or escalate findings. Do not use a result to access additional files, retrieve full datasets, obtain credentials, enter an account, execute code, change content, move laterally, maintain persistence, or expand beyond the limited authorized scan.
Disrupt systems. Do not use the Service to overload, degrade, interrupt, crash, flood, exhaust, or interfere with a website, network, application, security appliance, hosting account, or third-party service.
Evade safeguards. Do not bypass rate limits, access controls, authorization checks, robots, bot controls, firewall rules, captchas, network restrictions, scan limits, or other technical or administrative protections.
Harvest information. Do not collect, retain, sell, publish, trade, aggregate, or misuse credentials, personal information, proprietary information, source code, security data, or confidential content obtained through a scan.
Conduct surveillance or harassment. Do not use SiteThreat to intimidate, threaten, stalk, harass, embarrass, extort, defame, or pressure a person or organization.
Misrepresent results. Do not alter, fabricate, exaggerate, or present a scan result in a misleading way. Do not claim that SiteThreat certified a site, guaranteed security, confirmed legal noncompliance, or performed testing outside the Service’s actual scope.
Resell without permission. Do not reproduce, white-label, commercialize, resell, scrape, mirror, or provide the Service as your own scanning platform without written authorization.
Reverse engineer or attack SiteThreat. Do not probe, exploit, decompile, interfere with, or attempt unauthorized access to the SiteThreat website, code, infrastructure, data, administrative functions, or service providers.
Violate law or contract. Do not use the Service in a manner that violates criminal, civil, privacy, computer-access, consumer-protection, intellectual-property, export-control, sanctions, telecommunications, or other applicable law, or any contractual obligation.
6. Operational effects of scanning
Even limited scanning creates network requests. Those requests may appear in the target’s access logs, security logs, firewall records, analytics, intrusion-detection systems, bot-management tools, content-delivery networks, or hosting dashboards.
A target may rate-limit, block, challenge, redirect, or report the scanner. A poorly configured application may respond unexpectedly to ordinary requests. You are responsible for selecting an appropriate time, confirming operational approval, monitoring sensitive environments, and stopping if the scan appears to cause instability.
SiteThreat is designed to be non-destructive, but no network interaction is entirely risk-free. You accept the possibility of logs, alerts, blocked requests, temporary rate limits, unusual routing, or other operational effects.
7. Target and hosting-provider rules
Your authorization from a website owner may not override restrictions imposed by a hosting provider, cloud platform, content-delivery network, domain provider, managed-security service, or upstream network. Some providers require advance notice, limit security testing, or prohibit certain activity even when the customer owns the application.
You are responsible for reviewing and complying with all applicable provider policies. SiteThreat does not grant an exception to a provider’s acceptable-use policy or testing requirements.
8. Scan results and severity classifications
SiteThreat classifies each check based on the response evidence available at the time of the request. Results may be labeled safe, warning, medium, high, critical, or unknown. These labels are technical prioritization aids, not legal findings, guarantees, or definitive statements about the target.
A “safe” result means only that the specific requested resource appeared blocked, unavailable, or not directly exposed under the conditions tested. It does not establish that the website is secure or that the resource is unavailable through another hostname, filename, protocol, path, network, time, or method.
A warning or unknown result may be caused by custom routing, a branded error page, a redirect, timeout, TLS issue, connection failure, security gateway, content-delivery network, server error, rate limit, or other ambiguous behavior. Manual verification may be required.
A high or critical result may still require confirmation. You must review the final URL, status, content type, reason, and limited sample before taking action or communicating the finding to others.
9. Site Threat Score
The Site Threat Score is a numerical summary of findings produced by the checks completed in a particular scan. A score of 0 indicates no or minimal detected threat within the Service’s limited scope, and a score of 100 indicates critical detected threat.
The score is not a security score, certification, compliance rating, insurance assessment, warranty, or probability that an attack will occur. It does not account for every vulnerability, control, asset, business process, compensating safeguard, threat actor, consequence, or environmental factor.
The score may change because of target configuration, network conditions, selected scan options, host coverage, response routing, service updates, scoring adjustments, or temporary errors. Scores from different times or systems should not be treated as scientifically equivalent unless the scope and conditions are comparable.
You must not represent that a low score proves security or that a high score proves compromise. The score is intended to help prioritize review of the findings shown in the report.
10. False positives and false negatives
The Service may produce false positives. For example, a custom application page may return HTTP 200 for a path that does not actually expose the requested file, or a security gateway may produce content that resembles a sensitive response.
The Service may also produce false negatives. A sensitive resource may exist under an untested name, on an untested hostname, behind a condition the scanner does not trigger, or in a location outside the defined checks. A target may return a safe response during the scan and an unsafe response under different conditions.
You agree to verify material findings and not rely solely on SiteThreat when making security, legal, compliance, operational, financial, or public-disclosure decisions.
11. Remediation guidance
SiteThreat may provide plain-language remediation suggestions or example server configuration. Guidance is general information and may not be appropriate for every web server, hosting plan, framework, deployment architecture, operating system, access-control model, or business requirement.
Configuration changes can break a website, block legitimate content, conflict with provider rules, or create new issues if applied incorrectly. Review changes in a test environment when possible, maintain backups, understand the active configuration context, and use a qualified administrator or security professional when needed.
SiteThreat does not warrant that suggested configuration is complete, compatible, or sufficient. You are responsible for implementation, testing, rollback, credential rotation, log review, incident response, and validation.
12. Credentials and sensitive data
If a scan suggests that credentials, environment variables, private keys, tokens, database exports, backups, logs, or personal information are exposed, do not unnecessarily copy, distribute, or retain the content. Limit access to authorized personnel and take immediate steps to contain the exposure.
Blocking the file may not be sufficient. Credentials and secrets that were publicly accessible should be treated as potentially compromised and may need to be rotated or revoked. Relevant access logs, deployment history, repository history, backups, and adjacent systems may also require review.
You are responsible for complying with breach-notification, privacy, contractual, professional, regulatory, and incident-response obligations that may apply to the target and the exposed information. SiteThreat does not determine whether a legal breach occurred.
13. User responsibility for reports
Scan reports may contain security-sensitive information. You are responsible for storing, transmitting, downloading, naming, sharing, and deleting reports in a secure manner. Do not publish detailed findings before the target owner has had a reasonable opportunity to investigate and remediate, unless disclosure is legally required and appropriately managed.
Downloading a JSON or CSV report may place the file on your device, browser download folder, synchronized storage, backup service, enterprise monitoring system, or other environment outside SiteThreat’s control. Apply safeguards appropriate to the report’s contents.
14. No professional relationship
Use of SiteThreat does not create an attorney-client, consultant-client, auditor-client, fiduciary, professional-services, agency, partnership, joint-venture, employment, or other special relationship. General website content and automated remediation guidance are not legal, compliance, insurance, accounting, or individualized cybersecurity advice.
You should consult qualified professionals for matters requiring legal interpretation, regulatory assessment, incident response, forensic investigation, penetration testing, compliance certification, or specialized technical judgment.
15. No security or compliance guarantee
A clean scan does not prove that a website is secure, properly configured, patched, compliant, malware-free, intrusion-free, private, reliable, or suitable for any purpose. SiteThreat does not certify compliance with PCI DSS, HIPAA, GDPR, CCPA, SOC 2, ISO standards, accessibility standards, contractual controls, insurance requirements, or any other framework.
A finding does not prove that data was accessed by an unauthorized party, that an attacker exists, that exploitation occurred, or that a legal violation happened. It indicates only that the scanner observed evidence meeting its classification rules.
16. Availability and changes
The Service may be unavailable, interrupted, delayed, limited, modified, or discontinued at any time. Maintenance, attacks, provider outages, capacity limits, software defects, legal requirements, or other events may affect availability.
SiteThreat may add, remove, reorder, or modify checks, scoring weights, threat thresholds, interfaces, limits, remediation text, report formats, or other features without guaranteeing backward compatibility. A later scan may therefore produce a different result even when the target has not materially changed.
17. Enforcement and suspension
We may restrict, block, suspend, or terminate access to the Service when we reasonably believe a user has violated these Terms, created risk, made excessive requests, attempted unauthorized scanning, interfered with operations, misused results, or exposed SiteThreat or others to legal or security harm.
We may preserve and disclose relevant records when reasonably necessary to investigate abuse, respond to a complaint, protect systems, comply with legal process, or enforce these Terms. Enforcement decisions may be made without advance notice when immediate action is appropriate.
18. Intellectual property
SiteThreat, its name, logos, website design, text, graphics, scanner logic, remediation content, software, and other materials are owned by SiteThreat or its licensors and are protected by applicable intellectual-property laws. Except for the limited right to use the Service under these Terms, no ownership or license is transferred to you.
You may use your authorized scan results for internal security and remediation purposes. You may not copy substantial portions of the website, remove proprietary notices, use SiteThreat branding in a misleading manner, imply endorsement, or create a confusingly similar service without written permission.
19. Feedback
If you submit suggestions, ideas, corrections, or other feedback, you grant SiteThreat a nonexclusive, worldwide, royalty-free, transferable, sublicensable, perpetual, and irrevocable right to use, reproduce, modify, publish, and incorporate that feedback without restriction or compensation, provided that this does not authorize public disclosure of confidential information you clearly identify as confidential.
Do not submit feedback that you do not have the right to provide or that contains another party’s trade secrets, personal information, or protected material.
20. Third-party services and links
The Service may rely on or link to hosting providers, analytics tools, Client Assistance, target websites, content-delivery networks, browser features, and other third-party services. SiteThreat does not control those services and is not responsible for their content, availability, security, privacy practices, terms, or actions.
Opening a scan result’s final URL may expose you to content controlled by the target. Use caution, especially when a result suggests a downloadable file, server error, or sensitive content. SiteThreat does not guarantee that an external destination is safe.
21. Privacy
SiteThreat’s Privacy Policy describes information practices associated with the Service. By using SiteThreat, you acknowledge that network requests, technical logs, scan data, analytics information, and communications may be processed as described in that policy.
You are responsible for ensuring that your scan and handling of target information comply with applicable privacy and data-protection obligations. Do not use SiteThreat to collect personal information for unrelated purposes.
22. Disclaimer of warranties
To the maximum extent permitted by law, the Service is provided “as is” and “as available,” with all faults and without warranties of any kind, whether express, implied, statutory, or otherwise. SiteThreat disclaims warranties of merchantability, fitness for a particular purpose, title, noninfringement, accuracy, completeness, availability, reliability, security, compatibility, and freedom from harmful components.
SiteThreat does not warrant that the Service will be uninterrupted, error-free, current, complete, secure, or suitable for your environment; that every exposure will be detected; that every finding is accurate; that remediation guidance will work; or that use of the Service will prevent incidents, losses, claims, or regulatory action.
Some jurisdictions do not allow certain warranty exclusions. In those jurisdictions, exclusions apply only to the extent legally permitted.
23. Limitation of liability
To the maximum extent permitted by law, SiteThreat and its owners, operators, affiliates, licensors, vendors, service providers, employees, contractors, and agents will not be liable for indirect, incidental, special, consequential, exemplary, punitive, or enhanced damages; loss of profits, revenue, business, goodwill, data, use, or opportunity; business interruption; security incidents; system damage; remediation costs; legal claims; regulatory consequences; or other losses arising from or related to the Service.
This limitation applies whether a claim is based on contract, tort, negligence, strict liability, statute, warranty, misrepresentation, or another theory, and even if the possibility of loss was known or foreseeable.
To the extent a limitation of total liability is permitted, the aggregate liability arising from or related to the Service will not exceed the greater of the amount you paid directly to SiteThreat for the Service during the twelve months before the event giving rise to the claim or one hundred United States dollars. If you paid nothing, the applicable amount is one hundred United States dollars.
Some jurisdictions do not allow particular liability limitations. In those jurisdictions, the limitations apply only to the maximum extent permitted by law.
24. Indemnification
To the maximum extent permitted by law, you agree to defend, indemnify, and hold harmless SiteThreat and its owners, operators, affiliates, licensors, vendors, service providers, employees, contractors, and agents from claims, liabilities, damages, judgments, losses, penalties, costs, and expenses, including reasonable legal fees, arising from or related to:
your use or misuse of the Service; your scan of a system without authorization; your violation of these Terms; your violation of law, contract, provider policy, or third-party rights; your exploitation, disclosure, retention, or distribution of scan findings; your modification of a target system; or information and instructions you provide to another party.
SiteThreat may assume control of the defense of a matter subject to indemnification, and you agree to cooperate reasonably. You may not settle a claim in a manner that admits wrongdoing by or imposes obligations on SiteThreat without written consent.
25. Release relating to target systems
Disputes concerning ownership, authorization, security, privacy, availability, data, configuration, or operation of a scanned target are primarily between you and the target owner, administrator, provider, or other relevant party. To the maximum extent permitted by law, you release SiteThreat from claims arising solely from a target’s independent conduct, content, configuration, logging, blocking, response, or use of scan-related information.
26. Compliance with laws and sanctions
You must comply with applicable export-control, sanctions, anti-corruption, computer-access, cybersecurity, privacy, telecommunications, and other laws. You may not use the Service where prohibited or in connection with prohibited persons, entities, territories, activities, or end uses.
You represent that you are not using SiteThreat to support unlawful intrusion, espionage, extortion, credential theft, malware distribution, destructive activity, or evasion of legal restrictions.
27. Governing law and venue
Except where applicable consumer law requires otherwise, these Terms and disputes arising from or related to the Service will be governed by the laws of the State of California, without regard to conflict-of-law principles.
Subject to any mandatory law, the state and federal courts located in California will have exclusive jurisdiction over disputes that are not required to be resolved through another enforceable procedure. You consent to personal jurisdiction and venue in those courts.
28. Informal dispute resolution
Before filing a legal claim, you agree to provide a written description of the dispute through Client Assistance and allow at least thirty days for an informal effort to resolve it, unless immediate relief is necessary to prevent imminent harm or a shorter period is required by law.
The notice should include your contact information, the relevant scan or interaction, the factual basis of the dispute, and the relief requested. Informal communications are not an admission of liability and do not waive available defenses.
29. Injunctive relief
Unauthorized access, misuse of the scanner, exploitation of findings, interference with the Service, or infringement of intellectual property may cause harm that cannot be adequately remedied by money damages alone. SiteThreat may seek injunctive or equitable relief in addition to other remedies where permitted.
30. Changes to these Terms
We may update these Terms to reflect changes in the Service, law, risk, technology, vendors, or business practices. The “Last updated” date identifies the version currently posted.
Updated Terms become effective when posted unless a later date is stated. Continued use after the effective date constitutes acceptance of the revised Terms. If you do not agree with an update, stop using the Service.
31. Severability
If any provision of these Terms is found invalid, unlawful, or unenforceable, that provision will be enforced to the maximum extent permitted and the remaining provisions will remain in effect. A court may modify an unenforceable provision to best reflect its lawful purpose.
32. Waiver
A failure or delay in enforcing a provision is not a waiver. A waiver is effective only if made in writing by an authorized representative and applies only to the specific circumstance stated.
33. Assignment
You may not assign or transfer these Terms or your rights under them without written consent. SiteThreat may assign or transfer these Terms in connection with a merger, acquisition, financing, reorganization, sale of assets, change of control, or operation of the Service.
34. Entire agreement
These Terms, together with the Privacy Policy and any additional terms expressly presented for a feature, constitute the entire agreement between you and SiteThreat concerning the Service and supersede prior or contemporaneous communications on the same subject.
35. Contact
Questions about these Terms, reports of misuse, and support inquiries may be submitted through Client Assistance.
When reporting suspected misuse, include the relevant date, domain, and general nature of the issue, but do not send passwords, private keys, full credentials, or unnecessary copies of exposed information.