Acceptable Use.

01The non-negotiable rule

You may only scan domains you own, or domains for which you have received explicit written authorization from the legitimate owner. There is no exception. This rule is non-negotiable and its breach results in immediate account termination, without notice and without refund.

02What counts as authorization

• Ownership: you are the registrant of the domain or you control its DNS records.
• Maintenance or hosting contract that explicitly covers security audits or vulnerability scanning.
• A signed mandate or explicit email from the domain owner naming the audited perimeter.
• A pentest engagement letter with a scope statement.

Verbal agreements, “my friend said it was fine”, or “they're public anyway” do not count. If challenged, we will ask you for proof of authorization and may share that proof with judicial authorities.

03Ownership verification for the active tier

The active tier (port scanning, CMS enumeration, CVE matching, banner grabbing) requires you to verify domain ownership before any scan runs. You can verify ownership in two ways:

• DNS TXT record: add a TXT record mythoscan-verify=<token> on the target domain.
• HTML file upload: upload /mythoscan-verify-<token>.html to the target web root.

Verification is persistent — you only do it once per target. Agency customers on the Agency and Pro plans may alternatively sign a single “mandate attestation” covering all clients they officially represent.

04Prohibited uses

You may not use Mythoscan to:

• Scan domains you do not own or have no written authorization for.
• Attempt to exploit discovered vulnerabilities. Mythoscan detects and reports — it does not pen-test, and neither may you using it.
• Perform denial-of-service attacks or flood a target with requests.
• Scan infrastructure belonging to governments, hospitals, critical infrastructure operators, or minors, unless you hold a specific and verifiable contract with the operator.
• Use Mythoscan as part of a service you resell in conditions that violate this policy. White-label is permitted, but end-user responsibility remains yours.
• Reverse-engineer, scrape, or disrupt the Mythoscan platform itself.

05Legal consequences

In France, unauthorized scanning may be prosecuted under Article 323-1 of the Code pénal (accès frauduleux à un système de traitement automatisé de données), punishable by up to three years of imprisonment and 100,000 euros of fine. Similar provisions exist in most EU and non-EU jurisdictions (CFAA in the United States, CMA in the United Kingdom, etc.).

When a violation is reported to us, we cooperate with judicial authorities. We keep access logs for twelve months that identify the user, IP address, scanned domain, timestamp, and authorization declaration. These logs are admissible as evidence.

06Enforcement

We enforce this policy through a combination of:

• Automated detection of suspicious scan patterns.
• Manual review when abuse reports are filed.
• Immediate suspension of suspected accounts pending investigation.
• Permanent termination with forfeiture of remaining subscription, where abuse is confirmed.

Abuse reports can be filed at abuse@mythoscansec.com. Include the offending domain and any relevant context. We investigate within 48 hours.

07Transparency commitment

If you are a domain owner and you discover that someone has been scanning you through Mythoscan without your consent, contact us and we will share whatever legally permissible information we hold to help you identify and pursue the abuser.

08Updates

We may update this policy to address new categories of abuse or to reflect legal developments. Updates are notified by email with at least 14 days of notice.