Last updated: June 2026.
You may only scan domains, IPs and APIs that you own or for which you have explicit written authorisation to perform security testing. Scanning third-party systems without permission may be illegal.
Vulny may require you to verify control of a domain (via DNS TXT record, a file, or a confirmed email at that domain) before running full scans.
You must not use Vulny to attack, disrupt, or gain unauthorised access to any system; to scan internal, government, or third-party infrastructure without authorisation; or to evade these controls. Scanning of reserved/internal IP ranges is blocked.
We may suspend or terminate accounts that violate this policy and may report unlawful activity to authorities.