Acceptable Use Policy

Verilax is intended solely for lawful, authorized security testing. Users are responsible for obtaining written permission before testing any system, network, application, device, account, cloud environment, or third-party infrastructure. Unauthorized use is prohibited.

Verilax customers undertake to maintain documented authorization for every test (rules of engagement, statement of work, lab-environment notice, or equivalent) and to keep that documentation available to Verilax on request.

The following activities are categorically prohibited:

• Unauthorized access: access to any system, account, or data without prior written permission from the system owner.
• Credential theft: capturing, exfiltrating, or misusing third-party credentials outside an authorized engagement.
• Malware deployment: deployment of malware to any target not part of an explicitly authorized, controlled, lab-only test.
• Ransomware: any deployment, simulation, or distribution of ransomware against production systems.
• Extortion: any use of Verilax findings or access to extort or coerce.
• Botnet activity: any operation of botnets or command-and-control infrastructure against unauthorized systems.
• Destructive payloads: any payload designed to destroy, wipe, corrupt, encrypt, or ransom data.
• Self-propagating payloads: any payload designed to propagate without operator intervention.
• Unauthorized surveillance: covert monitoring of individuals or systems outside an authorized engagement.
• Data theft: exfiltration of data outside the documented scope of an engagement.
• Attacks outside approved scope: any testing against targets not on the engagement's authorized-asset list.
• Service disruption: denial-of-service, load generation, or stress testing against any system without documented owner authorization.
• Use without permission: any test against a system for which the user does not hold written permission from the system owner.
• Export-control / sanctions violations: any use in violation of U.S. export controls, sanctions, or trade-compliance laws (see the Export Compliance Notice).

Verilax ships with safe defaults: destructive actions are disabled, self-propagation is disabled, persistence is disabled outside explicitly approved lab or controlled environments, credential capture is minimized and masked, secrets are redacted from logs and reports, rate limits are enabled, production-target warnings are enabled, a stop/kill-switch is available for running jobs, and audit logging cannot be disabled by ordinary users.

Operators may not configure Verilax to evade these defaults except where explicitly justified by an authorized engagement and approved by the operator's admin.

Users who become aware of a violation of this AUP must report it promptly. Verilax may suspend access pending investigation and may require cooperation with internal review or, where required by law, with law-enforcement.

Violations may result in immediate suspension or termination of access to Verilax, forfeiture of any prepaid amounts, referral to law-enforcement, and civil or criminal liability under applicable law.

Verilax may update this AUP from time to time. Material changes will be announced with reasonable advance notice. Continued use of Verilax after a change takes effect constitutes acceptance of the updated AUP.