Legal

Authorization to Test

This document sets out the rules of engagement for Bug Circuit. It explains that we only ever test domains you have verified and explicitly authorized, defines what is in and out of scope, and records the permission you grant us before any testing begins.

Last updated: 6 July 2026

1.Why authorization matters

Accessing, probing, or attacking a computer system without the owner's permission is illegal in most jurisdictions. Examples include the U.S. Computer Fraud and Abuse Act (CFAA), the UK Computer Misuse Act 1990, and equivalent laws elsewhere. Bug Circuit ('we', 'us', operated by WEB CODE STORE (PVT) LTD) is an authorized-testing service: we perform security work only on assets a customer ('you') has verified they own and has explicitly authorized us to test.

This Authorization to Test is a legal precondition to any testing. It is a binding record of the permission you grant us and of the scope within which we operate. It supplements our Terms of Service and Privacy Policy and, where they conflict on the subject of testing scope and authorization, this document governs.

You may only authorize testing of assets you actually own or are otherwise lawfully entitled to have tested. Authorizing us to test a domain you do not control is a breach of this agreement and may itself be unlawful.

2.Ownership verification

Before you can authorize testing of a domain, you must prove control of it. We accept any one of the following verification methods:

  • A one-time verification code we send to a recognized role address for the domain (for example security@ or admin@);
  • A DNS TXT record we provide, published on the domain;
  • A file we provide, served from the domain's /.well-known/ path;
  • A meta tag we provide, placed on the domain's homepage.

Verification confirms that you control the domain at the time you authorize testing. Passive reconnaissance may run to support verification, but no active testing takes place until verification succeeds and you record an Authorization to Test.

3.What we test, and how

Our work has two parts, and it is important to understand the difference:

  • Passive reconnaissance (automatic): subdomain discovery from certificate-transparency logs and public DNS, technology fingerprinting from a single homepage request, and DNS/email posture checks such as SPF and DMARC. This uses only publicly available information and a normal request to your homepage. It never attacks, exploits, or attempts to break into your site.
  • Manual security testing (paid plans, performed by humans): all active security testing is carried out by human security engineers. On the CIRCUIT plan this is a manual audit producing a written report; on the SIGNAL plan it also includes fixing high and critical issues and ongoing cover. The free PULSE plan provides a manual yes/no verdict on whether critical bugs exist, with no active exploitation beyond what a human reviewer needs to reach that verdict.

We do not use automated attack tooling to hammer your systems. Testing is deliberate, human-led, and kept within the scope defined below.

4.Scope

Your authorization covers, and is limited to:

  • The specific domain you verified for the relevant plan (each plan covers one domain); and
  • Subdomains of that domain that resolve to infrastructure you own or control.

If a subdomain resolves to a third party's infrastructure, or points away from assets you control, it falls outside your authorization and we will not actively test it. Where scope is uncertain, we treat the asset as out of scope until you confirm control.

5.Out of scope

The following are never authorized under a standard engagement and are excluded unless separately agreed in writing:

  • Third-party or hosted services you do not control (for example a payment processor, a SaaS provider, a CDN, or a managed platform), even if your domain relies on them;
  • Physical security testing and social-engineering of your staff or contractors;
  • Destructive tests, including anything intended to damage, delete, or corrupt data, degrade availability, or cause a denial of service;
  • Testing of any asset for which ownership cannot be verified.
Some third-party providers require their own advance permission before anyone may test infrastructure they host. Even where an asset would otherwise be in scope, you are responsible for obtaining any such permission that applies to you.

6.The recorded authorization

When you authorize testing, we record a click-through Authorization to Test as part of an append-only audit log. For each authorization we retain:

  • The identity of the authorizing account (your business email and organization name);
  • The verified domain the authorization applies to;
  • The verification method used and the fact that verification succeeded;
  • A timestamp;
  • The IP address the authorization was submitted from; and
  • The authorization token or identifier for the record.

This record is your evidence, and ours, that testing was authorized. It is retained so that both parties can demonstrate the engagement was lawful and consented to. See our Privacy Policy for how this data is handled.

7.Your responsibilities

By authorizing testing you confirm and agree that:

  • You own the assets in scope, or are otherwise lawfully entitled to authorize testing of them, and you have the authority to grant this permission on behalf of your organization;
  • You will notify your hosting provider, and obtain any consent they require, where their terms call for it before testing infrastructure they host;
  • You are responsible for your own backups and for the operational readiness of the assets being tested; and
  • You will keep your account and verification methods (role addresses, DNS records, files, and meta tags) accurate and under your control.

8.Expiry and renewal

Ownership verification and the authorization tied to it are time-limited. Verification expires after a defined period, and an expired verification does not carry over to new work. If verification has lapsed, you must re-verify control of the domain and record a fresh Authorization to Test before any further testing takes place.

This protects you: it ensures that whoever authorizes testing still controls the domain at the time the work is done, and prevents a stale permission from being relied upon after ownership or control has changed.

9.Revocation

You may revoke your Authorization to Test at any time by contacting us at [email protected] or [email protected], or through your account where that option is available. On revocation we will stop active testing of the affected scope as soon as reasonably practicable.

Revocation is forward-looking: it does not undo testing already performed, and it does not delete the audit record of the authorization itself, which we retain as evidence that prior work was consented to. Revocation may affect our ability to deliver an in-progress plan; where relevant, our Terms of Service and Refund Policy govern any consequences for the affected order.

10.Grant of permission

Subject to this document, and for as long as your verification remains valid and unrevoked, you grant Bug Circuit permission to:

  • Perform the automatic, passive reconnaissance described above against your verified domain and its in-scope subdomains; and
  • On a paid plan, perform manual security testing within the defined scope, and (on SIGNAL) apply agreed fixes to high and critical issues.

We will act within scope, will not knowingly test out-of-scope or third-party assets, and will conduct testing in a manner intended to avoid harm to your systems and data. This permission is limited to the activities described here and does not authorize any use of your systems beyond delivering the plan you purchased.

11.Contact

For questions about this Authorization to Test, scope, or to revoke an authorization, contact us at:

This document is governed by the laws of Sri Lanka. Bug Circuit is operated by WEB CODE STORE (PVT) LTD, a company registered in Sri Lanka, company registration no. PV 00318975.

Questions about this policy? Email [email protected] or see our other legal documents.