Acceptable Use Policy

Effective Date: 2025-01-01

Last Updated: 2025-01-01

This Acceptable Use Policy ("AUP" or "Policy") governs your use of the MCPhacker security scanning platform, website, APIs, and all related services (collectively, the "Service") operated by MCPhacker ("we," "us," "our," or "MCPhacker").

This Policy is incorporated into and supplements our Terms of Service. By accessing or using the Service, you agree to comply with this Policy. Capitalized terms not defined in this Policy have the meanings assigned to them in the Terms of Service.

1. Purpose

MCPhacker provides automated security scanning tools for MCP (Model Context Protocol) servers. This Policy defines the acceptable and prohibited uses of the Service to ensure that the Service is used responsibly, ethically, legally, and in a manner that does not harm MCPhacker, its users, or third parties.

The security testing and vulnerability assessment tools provided by the Service are powerful capabilities that can be used for legitimate security improvement or can be misused to cause harm. This Policy establishes clear boundaries to promote responsible security testing practices.

2. Fundamental Principle: Authorized Scanning Only

2.1 Authorization Requirement

You must own or have explicit, written authorization from the owner to scan any MCP server, endpoint, system, or resource using the Service.

This is the foundational rule governing all use of the Service. Every scan you initiate through the Service must target a system that meets one of the following criteria:

You are the owner of the Scan Target, meaning you have legal ownership or administrative control over the server, endpoint, or system.
You have written authorization from the owner of the Scan Target, meaning you possess a current, valid, written document (such as a signed authorization letter, a penetration testing agreement, a bug bounty program scope document, or a contractual engagement) that explicitly authorizes you to perform the type of security testing conducted by the Service against the specified target.

2.2 Proof of Authorization

You must be able to demonstrate your authorization to scan any given target at any time. MCPhacker reserves the right to request proof of authorization for any scan, and failure to provide satisfactory proof may result in suspension or termination of your Account.

Acceptable forms of authorization documentation include:

A signed penetration testing agreement or security assessment contract.
A written authorization letter from the system owner, specifying the scope and duration of authorized testing.
Documentation of participation in a recognized bug bounty program that includes the Scan Target within its scope.
Evidence of administrative or ownership control over the Scan Target (e.g., DNS ownership verification, hosting account documentation).
A corporate authorization memo from an authorized officer of the organization that owns the Scan Target, if you are an employee or contractor acting on behalf of that organization.

2.3 Scope of Authorization

Your authorization must cover the specific type of security testing performed by the Service. General "IT access" or "system administration" privileges do not necessarily constitute authorization for security testing. Ensure that your authorization specifically permits:

Automated vulnerability scanning.
Sending security testing payloads (including injection attempts, authentication bypass attempts, and other common security test vectors).
The types and intensity of tests performed by the MCPhacker scanning engine.

2.4 Duration of Authorization

Ensure that your authorization is current and has not expired. If your authorization has a defined duration, you must not scan the target after the authorization period has ended.

3. Prohibited Activities

The following activities are strictly prohibited when using the Service. Violation of any of these prohibitions may result in immediate Account suspension or termination and may be reported to law enforcement.

3.1 Unauthorized Scanning

Scanning any MCP server, endpoint, system, or resource for which you do not have ownership or explicit written authorization from the owner.
Scanning systems that are explicitly excluded from the scope of your authorization.
Scanning systems after your authorization has expired or been revoked.
Scanning systems beyond the scope of your authorization (e.g., scanning additional ports, services, or endpoints not covered by your authorization).

3.2 Exploitation of Vulnerabilities

Using Scan Results, vulnerability information, or any data obtained through the Service to exploit, attack, compromise, or gain unauthorized access to any system, whether the scanned system or any other system.
Developing, creating, or distributing exploits, malware, or attack tools based on vulnerability information obtained through the Service.
Leveraging identified vulnerabilities to extract, modify, delete, or access data on the scanned system beyond what is necessary for validation and documentation of the vulnerability.
Chaining or combining vulnerabilities discovered through the Service to escalate privileges, pivot to other systems, or achieve unauthorized objectives.

3.3 Unauthorized Distribution of Vulnerability Data

Selling, trading, licensing, or commercially distributing vulnerability information, Scan Results, or security assessment data obtained through the Service to any third party.
Publishing or publicly disclosing vulnerability details for systems you do not own without following responsible disclosure practices (see Section 4).
Sharing vulnerability information on underground forums, dark web marketplaces, exploit databases, or other channels where it could be used for malicious purposes.
Providing vulnerability information to individuals or entities that you know or reasonably should know intend to use it for malicious purposes.

3.4 Denial of Service and Disruptive Behavior

Using the Service in a manner that overwhelms, degrades, disrupts, or renders unavailable the Scan Target or any other system, network, or service.
Configuring or using the Service in a way that produces traffic patterns resembling a denial-of-service (DoS) or distributed denial-of-service (DDoS) attack.
Intentionally targeting systems that you know to be fragile, resource-constrained, or likely to be disrupted by security scanning traffic.
Using the Service to generate excessive traffic, requests, or load against any system beyond what is reasonably necessary for security assessment.

3.5 Account and Credential Abuse

Sharing your Account credentials, login links, session tokens, or API keys with any other individual or entity.
Using another person's Account, credentials, or session without their explicit permission.
Creating multiple Accounts for the purpose of circumventing Plan limitations, usage restrictions, rate limits, or these Terms.
Transferring, selling, or renting your Account to any other individual or entity.
Using shared, team, or organizational Accounts in a manner that violates the terms of your License.

3.6 Reverse Engineering and Intellectual Property Violations

Reverse engineering, decompiling, disassembling, or otherwise attempting to derive the source code, algorithms, scanning techniques, detection logic, or underlying technology of the Service's scanning engine or any component thereof.
Attempting to discover the specific vulnerability signatures, detection patterns, or heuristics used by the scanning engine through systematic testing or analysis.
Copying, reproducing, or creating derivative works of the Service, its interface, documentation, or any proprietary component.
Removing, altering, or obscuring any proprietary notices, trademarks, or attribution from the Service or its outputs.

3.7 Automated Mass Scanning and Rate Limit Circumvention

Using automated scripts, bots, crawlers, schedulers, or other automated tools to submit scan requests beyond the limits of your Plan.
Attempting to circumvent, bypass, disable, or manipulate rate limits, usage quotas, scan frequency restrictions, or any other usage controls implemented by the Service.
Creating or using multiple Accounts, API keys, or sessions to aggregate usage beyond what a single Account on your License tier would allow.
Using proxy servers, VPNs, IP rotation services, or other techniques specifically to circumvent rate limiting, IP-based restrictions, or abuse prevention mechanisms of the Service.
Implementing automated retry logic that does not respect rate limit responses or back-off requirements communicated by the Service.

3.8 Circumventing License Restrictions

Accessing or attempting to access features, capabilities, or scan types that are not included in your current License tier.
Manipulating API requests, parameters, or payloads to bypass License-based feature restrictions.
Exploiting bugs, vulnerabilities, or errors in the Service to obtain access to features or capabilities beyond your License tier.
Using free-tier accounts in a manner inconsistent with their intended purpose (e.g., creating new accounts repeatedly to exploit free-tier limits).

3.9 Interference with the Service

Introducing viruses, trojan horses, worms, ransomware, spyware, or any other malicious code, malware, or harmful technology to the Service.
Attempting to gain unauthorized access to the Service, its infrastructure, other user accounts, or any systems connected to the Service.
Probing, scanning, or testing the vulnerability of the Service itself or any related system or network without explicit written authorization from MCPhacker.
Interfering with or disrupting the integrity, performance, or availability of the Service or the data contained therein.
Sending altered, deceptive, or false information to the Service, including falsified Scan Target information.

3.10 Illegal Activities

Using the Service for any purpose that violates any applicable federal, state, local, or international law or regulation.
Using the Service in connection with activities that violate the Computer Fraud and Abuse Act (18 U.S.C. Section 1030), the California Comprehensive Computer Data Access and Fraud Act (Cal. Penal Code Section 502), or equivalent laws in other jurisdictions.
Using the Service to facilitate fraud, identity theft, extortion, blackmail, or any other criminal activity.
Using the Service to violate any individual's privacy rights or data protection rights under applicable law.

3.11 Misrepresentation

Falsely claiming ownership of or authorization to scan systems you do not own and are not authorized to scan.
Impersonating any individual, organization, or entity when using the Service.
Falsely representing the capabilities, results, or endorsement of the Service to third parties.
Misrepresenting your affiliation with any person or entity.

4. Responsible Disclosure Obligations

4.1 Responsible Disclosure Principles

If you discover critical or significant vulnerabilities through the Service in systems that you are authorized to scan, we strongly encourage and expect you to follow responsible disclosure practices:

Notify the System Owner: Promptly inform the owner or operator of the affected system about the discovered vulnerability. Provide sufficient technical detail to allow them to understand and reproduce the issue.
Allow Reasonable Remediation Time: Give the system owner a reasonable period of time (typically 90 days, unless the vulnerability poses an imminent threat to public safety) to investigate and remediate the vulnerability before any public disclosure.
Avoid Exploitation: Do not exploit the vulnerability beyond the minimum necessary to demonstrate its existence and impact. Do not access, modify, or exfiltrate data beyond what is necessary for proof of concept.
Coordinate Disclosure: If you intend to publicly disclose vulnerability details, coordinate the timing and content of the disclosure with the system owner. Public disclosure should occur only after the system owner has had reasonable time to address the issue or has explicitly consented to disclosure.
Minimize Harm: Take reasonable steps to minimize any potential harm to the system, its users, and the public.

4.2 Bug Bounty Programs

If the Scan Target is covered by a bug bounty program, you must comply with the rules and scope of that program. Follow the program's specific disclosure policies, reporting procedures, and scope limitations. MCPhacker is not responsible for your compliance with third-party bug bounty program rules.

4.3 Reporting to MCPhacker

If you discover vulnerabilities in the MCPhacker Service itself, please report them to us at the security contact email provided below. We appreciate responsible disclosure and will work to address reported vulnerabilities promptly.

5. Monitoring and Enforcement

5.1 Monitoring

MCPhacker reserves the right to monitor use of the Service for compliance with this Policy. Monitoring may include, but is not limited to:

Reviewing scan activity logs, including Scan Targets and scan frequency.
Analyzing usage patterns for signs of abuse, unauthorized activity, or Policy violations.
Investigating reports of Policy violations from third parties.
Employing automated systems to detect suspicious or prohibited activity.

5.2 Investigation

If MCPhacker becomes aware of a potential violation of this Policy, we may investigate by:

Reviewing your Account activity and scan history.
Requesting proof of authorization for specific Scan Targets.
Contacting you to discuss the potential violation.
Contacting the owner of a Scan Target to verify authorization.

5.3 Cooperation

You agree to cooperate with MCPhacker in any investigation of suspected Policy violations, including providing requested information, documentation, and proof of authorization in a timely manner.

6. Consequences of Violation

6.1 Actions MCPhacker May Take

If MCPhacker determines, in its sole discretion, that you have violated this Policy, we may take one or more of the following actions, with or without prior notice:

Warning: Issue a formal warning notifying you of the violation and requiring corrective action.
Temporary Suspension: Temporarily suspend your Account and access to the Service for a specified period.
Feature Restriction: Restrict your access to certain features or capabilities of the Service.
Rate Limit Reduction: Reduce your rate limits or usage quotas below the standard limits for your License tier.
Permanent Termination: Permanently terminate your Account and access to the Service.
Data Deletion: Delete your Account data, including encrypted scan data, in accordance with our data retention policies.
Reporting to Law Enforcement: Report the violation to appropriate law enforcement authorities, particularly in cases involving unauthorized access to computer systems, violations of the Computer Fraud and Abuse Act (CFAA), or other criminal conduct. Note: Due to our zero-knowledge architecture, we cannot provide law enforcement with plaintext scan data, as we do not have access to it.
Legal Action: Initiate legal proceedings against you to recover damages, obtain injunctive relief, or enforce our rights.

6.2 No Refunds

If your Account is suspended or terminated due to a violation of this Policy, you are not entitled to any refund of purchased licenses. All license purchases are final and non-refundable.

6.3 Effect on Other Users

If a violation by one user affects shared or organizational accounts, MCPhacker may take action against the individual user, the shared account, or both, as appropriate.

6.4 Severity Considerations

The specific action taken will depend on the nature and severity of the violation, including:

Whether the violation was intentional or unintentional.
Whether it was a first offense or a repeat violation.
The potential or actual harm caused by the violation.
Whether the user cooperated with the investigation.
Whether the user took corrective action upon being notified.

7. Safe Harbor Statement

7.1 Authorized Security Testing Is Legal

MCPhacker supports and encourages authorized security testing and responsible vulnerability research. Security scanning performed with proper authorization is a legitimate and valuable activity that contributes to the overall security of the technology ecosystem.

When conducted in compliance with this Policy and applicable law:

Authorized scanning is not hacking. Security testing performed with the system owner's permission is a legitimate security practice, not an unauthorized intrusion.
Authorized scanning is not a crime. Under the Computer Fraud and Abuse Act (CFAA) and analogous state laws, accessing a computer system with authorization is not a criminal offense. Users who have proper authorization to scan their targets are not engaging in unauthorized access.
Vulnerability research benefits everyone. Identifying and remediating vulnerabilities before they can be exploited by malicious actors improves security for everyone.

7.2 MCPhacker's Position

MCPhacker is committed to:

Providing tools that enable authorized security testing.
Cooperating with law enforcement to address misuse of the Service.
Supporting responsible vulnerability disclosure practices.
Advocating for clear legal frameworks that protect authorized security researchers.

7.3 User's Responsibility

While MCPhacker provides the tools for security testing, the user bears sole responsibility for ensuring that their use of the Service is authorized and legal. MCPhacker's safe harbor statement applies only to users who have proper authorization and comply with all applicable laws, this Policy, and the Terms of Service.

8. API Usage Guidelines

8.1 API Access

If the Service provides API access, the following additional guidelines apply to your use of the API:

Authentication: You must authenticate all API requests using valid credentials associated with your Account.
Rate Limits: You must respect all rate limits communicated through API response headers, documentation, or error messages. Implement appropriate back-off and retry logic that respects rate limit responses.
Intended Use: The API must be used only for its intended purpose of submitting scan requests and retrieving Scan Results, not for scraping, data mining, or any other unauthorized purpose.
Error Handling: Implement proper error handling to gracefully manage API errors, rate limit responses, and service interruptions without causing excessive retries or load.

8.2 API Keys and Credentials

API keys and credentials are tied to your Account and Plan.
You are responsible for the security of your API keys.
Do not embed API keys in public repositories, client-side code, or other publicly accessible locations.
Rotate API keys immediately if you suspect they have been compromised.
Report suspected API key compromise to MCPhacker immediately.

9. Reporting Violations and Abuse

9.1 Reporting by Users

If you become aware of any violation of this Policy or any abuse of the Service, please report it to us immediately at the contact email provided below. When reporting a violation, please include:

A description of the suspected violation.
Any evidence or documentation supporting the report.
The approximate date and time of the suspected violation.
Any other information that may help us investigate.

9.2 Reporting by Third Parties

If you are a system owner or operator and believe that your system has been scanned through the Service without your authorization, please contact us immediately at the abuse contact email provided below. We take reports of unauthorized scanning seriously and will investigate promptly.

Please include:

Your contact information and your relationship to the affected system.
The IP address or endpoint that was scanned.
The approximate date and time of the suspected unauthorized scan.
Any log data or evidence of the unauthorized scan.
A statement that you have not authorized the scan.

9.3 Response to Reports

MCPhacker will acknowledge receipt of abuse reports within two (2) business days and will investigate in a timely manner. We may contact you for additional information during the investigation. We will take appropriate action based on the findings of our investigation, as described in Section 6.

10. Changes to This Policy

MCPhacker reserves the right to modify this Policy at any time. If we make material changes, we will:

Post the updated Policy on the Service with a revised "Last Updated" date.
Notify you via the email address associated with your Account.

Material changes will be effective thirty (30) days after notification. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Policy. If you do not agree to the revised Policy, you must stop using the Service.

11. Relationship to Other Policies

This Acceptable Use Policy is part of MCPhacker's overall policy framework. It supplements and should be read in conjunction with:

Terms of Service: Governs the overall terms of your use of the Service.
Privacy Policy: Describes our data collection and processing practices.
Cookie Policy: Describes our use of cookies.
Disclaimer: Provides important disclaimers about the Service and Scan Results.

In the event of any conflict between this Policy and the Terms of Service, the Terms of Service shall prevail.

12. Contact Information

If you have questions about this Policy, need to report a violation, or wish to report unauthorized scanning, please contact us:

General Inquiries: legal@mcphacker.com
Abuse Reports: abuse@mcphacker.com
Security Vulnerabilities: security@mcphacker.com
Website: https://mcphacker.com

This Acceptable Use Policy was last updated on 2025-01-01.