Acceptable Use Policy

1. Scope & Who This Applies To

This AUP applies to all visitors, users, clients, and anyone accessing or using Bastionity’s: website, communications, documentation, deliverables (reports), and any service engagement (collectively, the “Services”).

If you have a separate written agreement with Bastionity (e.g., a Statement of Work), that agreement may contain additional restrictions. In case of conflict, the written agreement controls for the scope of that engagement.

2. Acceptable Use (What Is Allowed)

You may use Bastionity Services only for lawful, ethical, and defensive purposes, including:

• Authorized security testing on assets you own or are explicitly permitted to test.
• Security assessments and compliance activities (e.g., preparing for audits, improving controls, risk reviews).
• Defensive operations (hardening, remediation planning, validation of fixes, incident response support where agreed).
• Educational or research activities that are legal, non-harmful, and do not target real systems without permission.
• Internal business use of reports and deliverables for risk management and remediation.

3. Authorization Requirement (Critical Rule)

You must have explicit authorization before conducting any security testing or assessment activity. This includes any scanning, enumeration, exploitation attempts, or access testing.

• You may test only systems you own or systems for which you have written permission from the owner or an authorized representative.
• If you request Bastionity to test on your behalf, you confirm you have the authority to grant access and approve testing.
• You must define scope (domains, IPs, apps, APIs), timing (windows), and emergency contacts when required.

If Bastionity reasonably believes authorization is unclear, incomplete, or disputed, we may pause or refuse service until it is clarified.

4. Prohibited Activities (Strictly Not Allowed)

The following activities are prohibited when using Bastionity Services, content, or deliverables:

• Unauthorized access to systems, accounts, networks, APIs, or data.
• Any form of malicious exploitation, including gaining persistence or lateral movement on real targets without permission.
• Developing, distributing, or deploying malware, ransomware, trojans, spyware, keyloggers, or botnets.
• Denial-of-Service (DoS/DDoS), traffic flooding, resource exhaustion, or disruptive stress testing without explicit written approval.
• Credential theft, phishing, social engineering targeting real individuals without explicit consent and authorization.
• Data theft or exfiltration, or extracting sensitive data beyond what is strictly required to demonstrate a finding.
• Abusing vulnerabilities to harm others, extort, blackmail, or conduct fraud.
• Sharing or selling exploit details from Bastionity deliverables for offensive use against third parties.
• Using our brand or reports deceptively (e.g., fake endorsements, forged reports, misleading marketing claims).
• Reverse engineering or copying proprietary Bastionity tooling, report templates, or internal methods beyond permitted use.
• Interfering with the Website, including scraping at scale, bypassing security controls, or attempting to compromise our infrastructure.

5. Responsible Disclosure & Safe Handling

If you discover a vulnerability or security issue related to Bastionity, you agree to act responsibly:

• Do not publicly disclose vulnerabilities before giving us a reasonable chance to investigate and fix.
• Do not access or modify data that you are not authorized to access.
• Use minimal-impact steps to demonstrate the issue and avoid disruption.

If you want to report a security issue to Bastionity, contact: security@bastionity.com (replace with your official email if different).

6. Use of Reports, Deliverables, and Content

Bastionity reports and deliverables are created for defensive security improvement and internal risk management. You agree that:

• You will use deliverables primarily for remediation, compliance, audit support, and internal security operations.
• You will not publish, resell, white-label, or distribute deliverables publicly without written permission (unless legally required).
• You will not remove watermarks, signatures, or attribution if present.
• You will not use deliverables to attack or target third parties.

7. Compliance With Laws & Regulations

You must comply with all applicable laws and regulations, including (where applicable):

• Computer misuse / cybercrime laws.
• Data protection and privacy laws (e.g., GDPR/CCPA or local equivalents).
• Export control laws and restrictions on security tools and cryptography.
• Third-party terms (cloud providers, hosting providers) applicable to your assets.

You are solely responsible for ensuring you have the right to authorize testing on any target included in scope.

8. Enforcement & Consequences

If we believe you violated this AUP, we may take one or more of the following actions:

• Request clarification, proof of authorization, or corrective action.
• Limit, suspend, or terminate access to the Website or Services.
• Cancel an engagement or refuse future services.
• Report unlawful activity to relevant authorities where required or appropriate.
• Seek legal remedies where necessary to protect Bastionity, our clients, and the public.

9. Changes to This Policy

We may update this AUP periodically. The updated version will be posted on this page and becomes effective when published. Continued use of the Website or Services after updates means you accept the revised policy.

10. Contact

If you have questions about this Acceptable Use Policy, please contact us via the contact page on our website, or email: legal@bastionity.com (replace with your official email if different).