Fair use

What you may scan

• Hostnames and IPs you have administrative control over (DNS or HTTP root).
• Systems for which you hold a current written authorisation from the owner (a signed letter, a screenshot of an in-scope bug-bounty page, or an email from an authorised representative).
• Staging and pre-production environments under your organisation, including those run by a third-party hosting provider on your behalf.
• Sandboxed labs you have provisioned for training and CI use.

What you may not scan

• Production or non-production systems belonging to anyone else, even if you suspect a vulnerability.
• Targets explicitly out of scope of a bug-bounty programme — a programme listing is not blanket authorisation.
• Government, critical-infrastructure, or healthcare systems without explicit prior authorisation from the owner.
• Shared platforms (CDNs, marketplaces, multi-tenant SaaS) belonging to third parties — even if your account lives there.

Verification is mandatory

Pentify enforces target verification at the API edge. Every hostname you scan must first prove ownership via DNS TXT or a file at /.well-known/pentify-verify.txt. There is no override. Verifications are cached for 30 days.

Audit trail

Every scan, target verification, and API key event is written to an append-only audit log scoped to your workspace. We retain the log for at least 24 months and can produce it on request — for example to satisfy compliance auditors or incident-response queries.

Terms of service

Use of the Pentify API is also governed by the Pentify Terms of Service and Acceptable Use Policy at pentify.org/legal. The clauses on this page summarise the most-relevant rules but do not replace the formal terms.

Reporting abuse

If you suspect a Pentify customer is using the platform to scan unauthorised targets, email abuse@pentify.io. Provide timestamps, source IPs, and any evidence you can share. We respond to confirmed-abuse reports within 24 hours, including suspending the offending workspace where warranted.