Terms of Service

These Terms of Service ("Terms") govern your use of Security:Lab("Service") operated by the service owner ("we", "us"). By accessing or using the Service, you agree to be bound by these Terms.

1. Definitions

• Service: the web security audit, reporting, and related features offered at security.elab-studio.xyz.
• User: any individual or entity using the Service under these Terms.
• Target domain: the host or domain you submit for auditing.
• Ownership verification: the procedure of proving control over the target domain by placing a file at /.well-known/site-audit-verify.txt or adding the provided meta tag.
• Passive scan: analysis based on public responses without impacting availability.
• Active scan: probes that inject inputs (e.g., open-redirect parameters, CORS origin echo, reflected parameters) and observe the responses.

2. The Service

1. We provide automated reports covering HTTP headers, TLS, DNS email authentication, exposed paths, secret patterns, outdated libraries with CVE lookup, and related checks.
2. Reports are provided "as is" without warranty of any kind. Automated audits are not a substitute for a manual penetration test.
3. We may suspend or modify the Service without prior notice for maintenance, outages of third-party APIs (including OSV.dev), or operational reasons.

3. User obligations

1. You must only request audits for domains you own or are explicitly authorized to audit. Scanning third-party sites without consent may violate computer-misuse laws in your jurisdiction (e.g., the CFAA, Korea's ICN Act Article 48).
2. Ownership verification must be performed honestly. Abuse of the token system will lead to immediate termination.
3. You agree not to use reports from this Service to threaten, extort, or otherwise harm third parties.
4. You acknowledge that active checks may generate additional log volume or traffic on the target and consent to this.

4. Scope and limitations

• Findings are surface-level and rule-based. Business-logic flaws, privilege-escalation chains, and multi-step attacks are out of scope.
• A finding is not a confirmed exploit. Actual exploitability must be verified manually.
• We are not liable for traffic costs, CDN/WAF charges, or transient operational impact incurred during a scan.

5. Prohibited conduct

• Requesting scans of domains you are not authorized to audit.
• Tampering with or forging ownership verification tokens.
• Automated abuse of the Service (scraping, excessive requests).
• Using report content to extort, blackmail, or pressure payment from third parties (bounty abuse).
• Reverse engineering or security bypass attempts.

6. Limitation of liability

1. We are not responsible for damages from force majeure, user-system failures, or third-party API errors outside our reasonable control.
2. You are solely responsible for legal consequences arising from your breach of these Terms, and you agree to indemnify us for any damages caused by such breach.
3. The Service does not replace legal, compliance, or audit advice. Judgements on regulatory compliance are your responsibility.

7. Paid reports

1. Some advanced report items (evidence strings, attack scenarios, remediation guidance) may be offered as paid features.
2. Pricing, billing, and refund terms will be disclosed at the time of purchase.
3. In development (localhost) environments, paid items may be displayed by default for demonstration; this does not apply in production.

8. Changes

We may modify these Terms. Changes take effect upon publication on this page. Material changes will be communicated in the Service.

9. Governing law

These Terms are governed by the laws of the Republic of Korea. Disputes will be resolved in the competent court under Korean civil procedure.

10. Contact

For inquiries, reach us at gdode2080@gmail.com.