WebScanify is a legitimate security testing tool. It is designed exclusively for website owners, security professionals, and developers who hold verifiable authorisation to test the systems they scan. Misuse exposes users to criminal liability and is reported to law enforcement. This policy forms part of our Terms of Service and is binding on all users.
1. Permitted Uses
Scanning domains and websites that you own outright or for which you hold documented written authorisation from the owner — whether using a free scan or a paid plan.
Scanning client websites where you hold explicit written authorisation signed by the domain owner naming you as the authorised tester.
Security professionals conducting authorised penetration tests or vulnerability assessments with a signed Statement of Work or equivalent written engagement.
Development and DevOps teams testing staging, test, or development environments they own and control.
Bug bounty hunters scanning targets that are explicitly listed in scope in a public bug bounty programme (e.g., HackerOne, Bugcrowd). Out-of-scope assets may not be scanned even if the programme exists.
Educational use on dedicated personal test environments (e.g., DVWA, TryHackMe VMs, HackTheBox labs, self-hosted sandboxes) where you own or are assigned the environment.
2. Authorisation Requirement
WebScanify does not perform automated verification of domain ownership before a scan is initiated. Authorisation is your sole responsibility. Before running any scan you must hold, and be able to produce on request, at least one of the following:
Proof of ownership: evidence that you are the registered domain owner (e.g., registrar account access, WHOIS record matching your identity);
Written authorisation: a signed letter, email, or engagement letter from the target domain's registered owner explicitly authorising active security testing — you must retain this document and produce it within 48 hours of any request by WebScanify or a competent authority; or
Lawful mandate: a legal instrument, court order, or regulatory directive authorising the test.
By clicking the authorisation checkbox and submitting a scan you make a legally binding self-declaration that you hold the required authorisation. This declaration is logged with your account, IP address, and timestamp. The same self-declaration applies to both free and paid scans — there is no scan tier that exempts you from the authorisation requirement.
Payment for a scan plan does not constitute proof of authorisation. We may request evidence of authorisation at any time for any scan you have run. Failure to provide satisfactory evidence within 48 hours of request may result in account suspension and referral to the domain owner or law enforcement.
3. Prohibited Uses
The following activities are strictly prohibited. Violations will result in immediate account suspension without refund and referral to law enforcement authorities including CERT-In, local police, and international cybercrime units as appropriate.
Unauthorised scanning: scanning any domain, IP address, or system without meeting the verifiable authorisation requirements set out in Section 2.
Active exploitation: using scan results or the platform to actively exploit vulnerabilities in any system you do not own.
Competitor intelligence: scanning competitors' or third-party websites to gain business intelligence, reverse-engineer their systems, or damage their operations.
Denial of service: using WebScanify in any manner that intentionally floods, overwhelms, or degrades a target system's availability.
Data harvesting: using the Service to harvest personal data, credentials, trade secrets, or confidential information from third-party systems.
Unauthorised resale: selling, licensing, or distributing scan reports or API access to third parties without our prior written consent.
Platform abuse: attempting to reverse-engineer WebScanify, circumvent rate limits, scrape the API, forge authentication tokens, or manipulate scan results.
Critical infrastructure: scanning hospitals, emergency services, national grid, financial clearing systems, or government systems without a lawful mandate and written authority from the relevant owner or regulatory body.
False declarations: providing false ownership declarations or forged written consent at the point of scan submission.
4. Legal Compliance
You are solely responsible for ensuring your use of WebScanify complies with all laws applicable in your jurisdiction, including:
India: Information Technology Act, 2000, Sections 43, 66, 66B, 66C, 66F; IT (Amendment) Act, 2008; CERT-In Directions, 2022
United States: Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030; Electronic Communications Privacy Act (ECPA)
United Kingdom: Computer Misuse Act 1990 (as amended)
European Union: Directive on Attacks Against Information Systems (2013/40/EU); GDPR where personal data is involved
All jurisdictions: applicable cybercrime legislation, data protection law, and sector-specific regulations (PCI-DSS, HIPAA, etc.)
Ignorance of local law is not a defence. If you are uncertain whether you have lawful authority to scan a target, do not scan it. Consult qualified legal counsel if in doubt.
5. Your Legal Declaration
By submitting any scan through WebScanify, you make the following legally binding declarations:
You are the registered owner of the target domain or system, OR you hold documented, verifiable written permission from the owner specifically authorising you to conduct security testing.
You will use scan results exclusively to improve the security of the tested system.
You will not use results to exploit, damage, access without permission, or disclose vulnerabilities of the target or any related systems.
You understand that a false declaration constitutes an offence under Section 66 of India's IT Act, 2000 and equivalent law in your jurisdiction, and may result in criminal prosecution.
You accept that WebScanify will preserve all logs related to your scan activity and provide them to law enforcement or regulatory authorities upon lawful request.
6. Enforcement & Regulatory Cooperation
Any misuse of WebScanify is solely the responsibility of the user who committed it. WebScanify accepts no liability for unauthorised scanning conducted by users who provided false declarations. We will cooperate fully with:
CERT-In (India): India's Computer Emergency Response Team. We will report suspected cybercrime incidents as required by CERT-In Directions, 2022 within the mandatory 6-hour window.
Law enforcement: local police, CBI Cyber Crime Unit, FBI, NCA, Europol, and equivalent agencies upon lawful request.
Domain owners: organisations reporting unauthorised scanning of their systems will receive our full cooperation and relevant log data subject to applicable law.
Payment processors: we will cooperate with fraud investigations involving our payment partners.
Actions we may take against violators:
Immediate account suspension without refund.
Permanent ban with all associated data preserved for legal proceedings.
Report to CERT-In, relevant law enforcement, and the domain owner of any scanned target.
Civil action for damages caused by misuse of our platform.
We log all scan activity including scan targets, scan type, originating IP address, account details, and timestamps. These logs are retained as specified in our Privacy Policy and will be produced in response to valid legal process.
7. Reporting Unauthorised Scans
If you believe WebScanify is being used to scan your systems without your authorisation, contact us immediately at [email protected] with the subject "Unauthorised Scan Report". Include the target domain, approximate time of scan, and any logs or evidence. We will acknowledge within 4 hours and take appropriate action within 24 hours, including suspending the responsible account and preserving evidence for legal proceedings.
8. Changes to This Policy
We may update this Acceptable Use Policy to address new threats, legal requirements, or platform changes. Material changes will be communicated to all registered users by email with at least 14 days' advance notice. Continued use after the effective date constitutes acceptance.
9. Governing Law
This Acceptable Use Policy is governed by the laws of India, including the IT Act, 2000 and its amendments. Disputes are subject to the exclusive jurisdiction of the courts of Madhya Pradesh, India.