How we scan, and what we never do.

1. Authorized targets only

RiskMeter only ever performs scanning activity against assets the requester has explicitly identified, in writing, as owned by them or as assets they are authorized by the asset owner to approve for testing. [TODO_LEGAL_REVIEW]

If we cannot independently verify ownership or authorization to a reasonable degree of confidence, we will pause and request additional confirmation before proceeding. We reserve the right to decline any engagement.

2. Scope and assets

Scope is confirmed in writing prior to scan start. Default scope includes:

• Public web domains and subdomains explicitly listed by you
• Web applications served from those domains
• Public-facing APIs you authorize for testing
• Server-level configuration of those assets (TLS, certificates, security headers, exposed services, banners)

The following are out of scope unless explicitly added in writing:

• Authenticated areas behind your customers' accounts
• Third-party services (payment providers, identity providers, CDNs, etc.)
• Infrastructure or services not owned by the requester or not under authorization

3. What we will not do

• We will not perform destructive testing (data destruction, account deletion, intentional outages).
• We will not perform denial-of-service or sustained high-volume traffic attacks.
• We will not perform social engineering, phishing, or any test that targets your staff or customers.
• We will not attempt to access, exfiltrate, or modify customer or employee personal data.
• We will not collect passwords or credentials on this website.
• We will not test outside the scope window without prior written agreement.

4. Scan intensity and timing

Scans are throttled to minimize load on your origin and shared infrastructure. We work with you to identify a low-traffic window for the scan when possible. We commit to:

• Provide a defined scan window with a stated start and end time
• Use rate-limited, non-flooding traffic patterns suitable for production environments
• Pause and notify you within a reasonable time if we observe scan activity producing service degradation

5. Source identification

Scan traffic will originate from a documented set of IP addresses and a clearly identifiable user-agent string. We will provide both prior to scan start so your monitoring tools can correlate the activity.[TODO_LEGAL_REVIEW]

6. Data handling during the scan

During a scan we may incidentally observe technical data emitted by your application (HTTP responses, headers, error pages, public content). We treat this material as confidential. We do not retain unnecessary response bodies, and we redact any inadvertently captured sensitive content before storage.

See our Privacy & Data Handling page for full data lifecycle details.

7. Findings and disclosure

Findings are disclosed only to you, the authorized requester, via the contact email confirmed during application. We do not publicly disclose, sell, or share specific findings. We may publish aggregated, non-identifying statistics about scan results.[TODO_LEGAL_REVIEW]

8. Stopping a scan

You may revoke authorization or request that we cease scanning at any time, in writing. Upon receipt of such a request we will:

• Stop active scanning within a reasonable time window
• Confirm cessation in writing
• Honor any reasonable request to delete data collected during the engagement, subject to limited records retained for legal, accounting, and security purposes

9. Limits of testing

A scan reflects the state of your environment at a point in time. It is not a guarantee that your application is free of vulnerabilities. Findings are presented to the best of our ability based on the techniques used during the engagement.[TODO_LEGAL_REVIEW]

10. Contact

Operational questions about an in-progress scan can be sent to your designated RiskMeter contact. For general questions, see the contact information in our Privacy Policy.