Authorization to Test
This document sets out the rules of engagement for Bug Circuit. It explains that we only ever test domains you have verified and explicitly authorized, defines what is in and out of scope, and records the permission you grant us before any testing begins.
Last updated: 6 July 2026
2.Ownership verification
Before you can authorize testing of a domain, you must prove control of it. We accept any one of the following verification methods:
- A one-time verification code we send to a recognized role address for the domain (for example security@ or admin@);
- A DNS TXT record we provide, published on the domain;
- A file we provide, served from the domain's /.well-known/ path;
- A meta tag we provide, placed on the domain's homepage.
Verification confirms that you control the domain at the time you authorize testing. Passive reconnaissance may run to support verification, but no active testing takes place until verification succeeds and you record an Authorization to Test.
3.What we test, and how
Our work has two parts, and it is important to understand the difference:
- Passive reconnaissance (automatic): subdomain discovery from certificate-transparency logs and public DNS, technology fingerprinting from a single homepage request, and DNS/email posture checks such as SPF and DMARC. This uses only publicly available information and a normal request to your homepage. It never attacks, exploits, or attempts to break into your site.
- Manual security testing (paid plans, performed by humans): all active security testing is carried out by human security engineers. On the CIRCUIT plan this is a manual audit producing a written report; on the SIGNAL plan it also includes fixing high and critical issues and ongoing cover. The free PULSE plan provides a manual yes/no verdict on whether critical bugs exist, with no active exploitation beyond what a human reviewer needs to reach that verdict.
We do not use automated attack tooling to hammer your systems. Testing is deliberate, human-led, and kept within the scope defined below.
4.Scope
Your authorization covers, and is limited to:
- The specific domain you verified for the relevant plan (each plan covers one domain); and
- Subdomains of that domain that resolve to infrastructure you own or control.
If a subdomain resolves to a third party's infrastructure, or points away from assets you control, it falls outside your authorization and we will not actively test it. Where scope is uncertain, we treat the asset as out of scope until you confirm control.
5.Out of scope
The following are never authorized under a standard engagement and are excluded unless separately agreed in writing:
- Third-party or hosted services you do not control (for example a payment processor, a SaaS provider, a CDN, or a managed platform), even if your domain relies on them;
- Physical security testing and social-engineering of your staff or contractors;
- Destructive tests, including anything intended to damage, delete, or corrupt data, degrade availability, or cause a denial of service;
- Testing of any asset for which ownership cannot be verified.
7.Your responsibilities
By authorizing testing you confirm and agree that:
- You own the assets in scope, or are otherwise lawfully entitled to authorize testing of them, and you have the authority to grant this permission on behalf of your organization;
- You will notify your hosting provider, and obtain any consent they require, where their terms call for it before testing infrastructure they host;
- You are responsible for your own backups and for the operational readiness of the assets being tested; and
- You will keep your account and verification methods (role addresses, DNS records, files, and meta tags) accurate and under your control.
8.Expiry and renewal
Ownership verification and the authorization tied to it are time-limited. Verification expires after a defined period, and an expired verification does not carry over to new work. If verification has lapsed, you must re-verify control of the domain and record a fresh Authorization to Test before any further testing takes place.
This protects you: it ensures that whoever authorizes testing still controls the domain at the time the work is done, and prevents a stale permission from being relied upon after ownership or control has changed.
9.Revocation
You may revoke your Authorization to Test at any time by contacting us at [email protected] or [email protected], or through your account where that option is available. On revocation we will stop active testing of the affected scope as soon as reasonably practicable.
Revocation is forward-looking: it does not undo testing already performed, and it does not delete the audit record of the authorization itself, which we retain as evidence that prior work was consented to. Revocation may affect our ability to deliver an in-progress plan; where relevant, our Terms of Service and Refund Policy govern any consequences for the affected order.
10.Grant of permission
Subject to this document, and for as long as your verification remains valid and unrevoked, you grant Bug Circuit permission to:
- Perform the automatic, passive reconnaissance described above against your verified domain and its in-scope subdomains; and
- On a paid plan, perform manual security testing within the defined scope, and (on SIGNAL) apply agreed fixes to high and critical issues.
We will act within scope, will not knowingly test out-of-scope or third-party assets, and will conduct testing in a manner intended to avoid harm to your systems and data. This permission is limited to the activities described here and does not authorize any use of your systems beyond delivering the plan you purchased.
11.Contact
For questions about this Authorization to Test, scope, or to revoke an authorization, contact us at:
- Security: [email protected]
- General and support: [email protected]
- Legal: [email protected]
- Privacy: [email protected]
This document is governed by the laws of Sri Lanka. Bug Circuit is operated by WEB CODE STORE (PVT) LTD, a company registered in Sri Lanka, company registration no. PV 00318975.