Scanning Authorization Agreement

This Scanning Authorization Agreement ("Agreement") defines the terms and conditions under which REDWIPE LLC ("REDWIPE", "we", "us", or "our") performs automated security testing on domains and assets registered by you ("the Customer", "you", or "your") on the REDWIPE platform.

By acknowledging this Agreement through the REDWIPE dashboard or by completing DNS domain verification, you confirm your acceptance of these terms.

By registering a domain for scanning on the REDWIPE platform, you represent and warrant that:

• You are the legal owner of the target domain, or you have been explicitly authorized by the domain owner to conduct security testing on their behalf.
• You have the legal authority to authorize automated security scanning and safe exploit verification of the target domain and its subdomains.
• Your authorization extends to all publicly accessible assets associated with the registered domain, including subdomains, HTTP endpoints, DNS records, email infrastructure, and publicly exposed services.
• You understand that REDWIPE will perform automated security testing as described in the "Scope of Testing" section below.

What REDWIPE will do:

• DNS Enumeration: Query DNS records (A, AAAA, CNAME, MX, TXT, NS, SOA, SRV) and Certificate Transparency logs to discover subdomains and assets.
• Port Scanning: TCP connect scans on common ports (scope depends on plan tier: 100, 1000, or 65535 ports) with banner grabbing for service identification.
• HTTP Probing: Send HTTP requests to discovered endpoints to check status codes, headers, technology fingerprints, and redirect chains.
• Vulnerability Assessment: Use template-based scanning to identify known vulnerabilities, misconfigurations, and security weaknesses.
• Safe Exploit Verification: Non-destructive proof-of-concept testing for confirmed vulnerabilities, including: default credential testing (max 3 attempts per service), SQL injection detection (read-only probes), SSRF validation (benign callback verification), XSS detection (benign marker injection), cloud storage access checks (read-only, max 1KB), and subdomain takeover proof-of-concept (with automatic release timer).

What REDWIPE will NOT do:

• Denial of Service: We will not conduct DoS or DDoS attacks or any test that could disrupt service availability.
• Data Exfiltration: We will not extract, download, or copy customer data beyond the minimum necessary for proof of vulnerability (max 1KB for cloud access verification).
• Modification of Target Systems: We will not modify files, databases, configurations, or any data on your systems. All exploit verifications use read-only probes and benign payloads.
• Internal Network Access: We will not scan internal networks, private IP ranges, or systems behind firewalls.
• Social Engineering: We will not conduct phishing, vishing, or other social engineering attacks.

All REDWIPE scans respect configurable rate limits to minimize impact on your systems:

• Default rate limit: 10 requests per second per host
• Port scanning uses controlled concurrency (not SYN flood)
• You may pause or cancel scans at any time through the dashboard
• Continuous monitoring checks occur at tier-appropriate intervals (weekly for Starter, daily for Pro, every 6 hours for Enterprise)

While REDWIPE employs comprehensive safety controls to prevent disruption to target systems, automated security testing inherently carries minimal risk. You acknowledge that:

• REDWIPE is not liable for any service disruptions that may occur on target systems as a result of authorized scanning, provided REDWIPE operated within the scope described in this Agreement.
• You are responsible for ensuring that your systems can handle external security scanning at the configured rate limits.
• REDWIPE maintains comprehensive audit logs of all scanning activity, available to you through the dashboard and API.

Scan results are handled in accordance with our Privacy Policy:

• Findings, assets, and reports are stored for the duration of your account and protected by multi-tenant row-level security.
• Raw scan artifacts (Nuclei output, HTTP responses) are retained for 90 days then automatically purged.
• All data is encrypted at rest (AES-256) and in transit (TLS 1.2+).
• You may export your data at any time or request complete deletion by contacting privacy@redwipe.com.

You may revoke scanning authorization for any domain at any time by:

• Removing the DNS TXT record — REDWIPE will detect the removal and suspend active scanning for that domain.
• Deleting the domain from the dashboard — immediately terminates all scanning activity and queued tasks for that domain.
• Contacting support — email support@redwipe.com to request immediate revocation.

Revocation takes effect immediately. REDWIPE will cease all scanning activity within 1 hour of DNS TXT record removal or dashboard-initiated revocation. Any scans in progress will be terminated, and no new scans will be initiated for the revoked domain.

This Agreement shall be governed by and construed in accordance with the laws of the State of Delaware, United States, without regard to its conflict of law provisions. Any disputes arising from this Agreement shall be resolved in accordance with the dispute resolution provisions in our Terms of Service.

For questions about this Agreement or scanning authorization:

You are responsible for understanding the impact of security scanning on third-party hosted assets. If your domains are hosted by a third-party provider (e.g., AWS, Azure, GCP, shared hosting), you are responsible for:

• Ensuring that your hosting provider’s terms of service permit automated security scanning.
• Notifying your hosting provider of planned scanning activity if required by their policies.
• Any consequences arising from scanning activity on third-party infrastructure.

We recommend that you notify your hosting providers, CDN providers, and any managed security service providers (MSSPs) before initiating scans. This helps prevent false positive alerts from their monitoring systems. REDWIPE scans originate from documented IP ranges that can be whitelisted upon request.

All scan findings generated by REDWIPE are classified as Confidential by default. This means:

• Scan data is accessible only to authenticated members of your organization.
• Reports should be shared only with authorized personnel.
• Vulnerability details should not be publicly disclosed before remediation.
• REDWIPE will not disclose your scan results to third parties without your written consent, except as required by law.