Legal

Acceptable Use Policy

This Acceptable Use Policy ("AUP") governs how you may use Bug Circuit's website, platform, and security-testing services (the "Services"). It exists to keep our testing lawful and authorized, protect the platform and its users, and set out the rules that everyone who uses Bug Circuit must follow.

Last updated: 6 July 2026

1.Scope and Acceptance

This AUP applies to everyone who accesses or uses Bug Circuit, whether on a free or paid plan. It forms part of, and should be read alongside, our Terms of Service, Privacy Policy, and the Authorization to Test. By creating an account, submitting a domain, purchasing a plan, or otherwise using the Services, you agree to comply with this AUP.

Bug Circuit is a security-testing product. Because our Services actively probe websites for vulnerabilities, misuse can cause real harm to real systems and can be illegal. The rules below are therefore strict and are enforced. If you do not agree to them, do not use the Services.

In this AUP, "you" means the individual and the organization on whose behalf they act; "domain" means an internet domain or the website served from it that you submit for reconnaissance or testing.

2.The Core Rule: Only Test What You Own or Are Authorized to Test

You may only submit, request reconnaissance on, or have us test a domain that you own or that you are explicitly and lawfully authorized to have tested by its owner. This is the single most important rule of the Services and it applies without exception.

You are solely responsible for confirming that you have the right to authorize testing of every domain you submit. Submitting a domain you do not own or control, without the owner's explicit authorization, is a serious violation and may be a criminal offense in many jurisdictions.

Even our passive reconnaissance — subdomain discovery from certificate-transparency logs and public DNS, technology fingerprinting from a single homepage request, and DNS/email posture checks such as SPF and DMARC — is directed at a specific domain at your request. You must have the right to direct that activity at the domain before you submit it.

3.Domain Verification and Authorization to Test

Before any active testing begins, you must complete two safeguards:

  1. 1.Prove ownership or control of the domain using one of the supported methods — a one-time code sent to a role address such as security@ or admin@, a DNS TXT record, a file placed at a /.well-known path, or a verification meta tag on the domain's homepage.
  2. 2.Record a click-through Authorization to Test, in which you confirm you are authorized to permit active security testing of the domain and accept the responsibilities set out in that document.

Active testing will not proceed until both steps are complete. Nothing in the verification flow, and nothing in this AUP, transfers to you any right or authorization you do not actually hold. The Authorization to Test is incorporated into this AUP by reference, and its terms apply to every scan you request.

If your authorization to test a domain ends, is revoked, or was never validly obtained, you must stop requesting testing of that domain immediately and notify us at [email protected].

4.Prohibited Uses

You must not do any of the following, and must not permit or help anyone else to do them:

Unauthorized and unlawful testing

  • Submit, scan, or request testing of any domain you do not own or are not explicitly authorized to test.
  • Use Bug Circuit to conduct any activity that is illegal, or that violates the rights of any person or organization or the terms of any third party.
  • Use reconnaissance data, scan findings, reports, or any other output from the Services to attack, gain unauthorized access to, disrupt, or otherwise compromise any system, whether or not that system was the subject of your scan.

Attacks on the platform and other users

  • Attempt to access accounts, tenants, data, findings, chat transcripts, audit logs, or other information that does not belong to you, or attempt to circumvent tenant isolation or row-level security.
  • Probe, scan, or attempt to penetrate, reverse-engineer, or interfere with the Bug Circuit platform or its infrastructure itself (as opposed to the domains you are authorized to test), except through an authorized responsible-disclosure channel.
  • Launch or facilitate any denial-of-service or distributed-denial-of-service activity, flood, or volumetric attack against the platform, our providers, or any third party.
  • Upload, host, transmit, or link to malware, ransomware, exploits, or other malicious code through the Services, including in scan requests, live chat, or any other input.
  • Interfere with, degrade, or disrupt the integrity, performance, or availability of the Services, or the servers and networks connected to them.

Abuse of plans, access, and content

  • Circumvent, or attempt to circumvent, plan limits (each plan covers a single domain), domain verification, authorization checks, discount vouchers, payment, rate limits, or any other technical or contractual control.
  • Share, sell, transfer, or provide access to your account, or use another person's account; each account is for the authorized user and organization to whom it is issued.
  • Resell, sublicense, or commercially exploit the Services, or provide testing to third parties, without our prior written agreement.
  • Scrape, crawl, harvest, or use bots or automated means to extract content or data from the Services, or copy, republish, or redistribute reports or other materials except as permitted for your own authorized use.
  • Misuse the AI chat assistant, live chat, or support channels — for example by attempting to extract other customers' data, submitting deliberately harmful prompts, or using them for anything other than legitimate product questions and support.
  • Provide false, misleading, or fraudulent information, including in domain submissions, ownership proofs, the Authorization to Test, payment, or identity.

5.Your Responsibilities

You are responsible for all activity that occurs under your account and for the accuracy of everything you submit. In particular, you must:

  • Keep your login and account access secure, and promptly report any suspected compromise or unauthorized use to [email protected].
  • Ensure that every domain you submit is one you are entitled to have tested, and keep that authorization current.
  • Use scan findings and reports only for legitimate defensive purposes — remediating and improving the security of the domains you are authorized to test.
  • Comply with all applicable laws and with the Terms of Service, Privacy Policy, and Authorization to Test.

6.How Bug Circuit Tests

For transparency: all security testing on Bug Circuit is performed manually by human security engineers. Only the initial reconnaissance — subdomain discovery, technology fingerprinting from a single homepage request, and DNS/email posture checks — is automatic, and that reconnaissance is passive and never attacks the site.

This does not narrow your obligations. Whether an activity is passive reconnaissance or active manual testing, it is directed at a domain at your request, and every rule in this AUP — above all the requirement of ownership or explicit authorization — applies in full.

7.Reporting Violations

If you become aware of any actual or suspected violation of this AUP — including unauthorized testing of a domain, misuse of findings, or a security issue in the platform — please report it promptly to [email protected]. We investigate credible reports and take appropriate action.

If you are the owner of a domain and believe it has been submitted to Bug Circuit without your authorization, contact [email protected] so we can investigate and, where appropriate, suspend the activity.

8.Enforcement and Consequences

We may take any action we consider appropriate in response to an actual or suspected violation of this AUP, at our discretion and without prior notice where the circumstances warrant. Depending on the severity and nature of the violation, this may include:

  • Removing, blocking, or refusing to process a domain, scan request, or other content;
  • Cancelling in-progress or queued testing and withholding results;
  • Suspending or restricting your access to some or all of the Services;
  • Terminating your account and any associated plans or security cover;
  • Preserving relevant records, including the append-only audit log, for investigation.
Unauthorized testing and other serious violations may be reported to, and investigated with, the relevant authorities. We will cooperate with law enforcement and with lawful requests and legal process, and may disclose relevant information where we are permitted or required to do so.

Suspension or termination for a violation does not entitle you to a refund and does not limit any other rights or remedies available to us. You remain responsible for any losses, claims, or costs arising from your violation, as further described in the Terms of Service.

9.Changes to This Policy

We may update this AUP from time to time to reflect changes in the Services, our practices, or legal requirements. When we make material changes, we will update the "last updated" date and, where appropriate, provide additional notice. Your continued use of the Services after an update takes effect means you accept the revised AUP.

10.Contact and Company Details

Questions about this AUP or how it applies to you can be sent to the appropriate contact below:

The Services are operated by WEB CODE STORE (PVT) LTD, a company registered in Sri Lanka, company registration number PV 00318975. This AUP is governed by the laws of Sri Lanka, without regard to its conflict-of-laws rules.

Questions about this policy? Email [email protected] or see our other legal documents.