Terms and Conditions
The commercial terms that govern paid engagements, subscriptions, and your contractual relationship with Vulnary.
1. About these Terms
These Terms and Conditions (the "Terms") govern the commercial and contractual relationship between Vulnary ("Vulnary", "we", "us", or "our") and the organization that purchases, subscribes to, or otherwise engages our offensive-security services (the "Customer", "you", or "your"). They apply to all paid engagements, subscriptions, and statements of work, whether ordered through our web portal, an order form, or a signed agreement.
These Terms are distinct from our Terms of Use, which govern access to and use of the Vulnary website and platform. Where these Terms conflict with the Terms of Use in the context of a paid engagement, these Terms control. Where these Terms conflict with a signed master agreement or a mutually executed Statement of Work, that document controls to the extent of the conflict.
By placing an order, executing a Statement of Work, activating a subscription, or authorizing an engagement, you agree to these Terms on behalf of the Customer and confirm that you have the authority to bind the Customer.
2. Definitions
- "Services" means the offensive-security products and professional services we provide, including Verdict, Code Review, Pentest, Proof Engine, and any associated portal, tooling, or reporting.
- "The Resident" means Vulnary's autonomous AI offensive-security engine used to deliver or assist in delivering the Services.
- "Engagement" means a defined instance of the Services performed for you, including its scope, timing, and deliverables.
- "Statement of Work" or "SOW" means a document (including an order form or portal-generated scope confirmation) describing an Engagement's scope, fees, and terms.
- "In-Scope Assets" means the systems, applications, networks, code, credentials, accounts, reports, or other targets you authorize us to test, review, or verify in an Engagement.
- "Deliverables" means the reports, findings, proofs, exploit reproductions, and other materials we provide to you as an output of an Engagement.
- "Customer Data" means data you provide to us or that we access, generate, or process in performing the Services.
- "Rules of Engagement" or "RoE" means the agreed operational constraints for an Engagement, including scope boundaries, permitted techniques, testing windows, and escalation contacts.
3. Engagements and Statements of Work
Each Engagement is defined by a Statement of Work. The SOW sets out the In-Scope Assets, the applicable product (Verdict, Code Review, Pentest, or Proof Engine), the Rules of Engagement, deliverables, timing, and fees. No testing, review, or verification activity begins until the relevant SOW has been accepted and, where required, scope authorization has been confirmed.
For the Proof Engine, the Engagement tier — First-Look, Automated Verdict, or Verified Engagement — is stated in the SOW and determines the depth of reproduction and the level of human review applied. Changes to scope, targets, or objectives require a written change to the SOW (including via the portal) accepted by both parties before they take effect.
4. Fees, Billing, Subscriptions, and Renewals
Fees are stated in the applicable SOW, order form, or subscription plan. Unless stated otherwise:
- Subscription fees are billed in advance for the stated billing period; Engagement or usage-based fees are billed as set out in the SOW.
- All fees are exclusive of taxes, duties, and levies, which are your responsibility except for taxes on our net income.
- Undisputed invoices are due within thirty (30) days of the invoice date. Late amounts may accrue interest at the lower of 1.5% per month or the maximum permitted by law.
- Fees are non-refundable except where these Terms or an SOW expressly provide otherwise.
Subscriptions renew automatically for successive periods equal to the initial term unless either party gives written notice of non-renewal at least thirty (30) days before the end of the then-current term. We may adjust subscription pricing effective on renewal by giving notice before the renewal date. Certain plans allow you to supply your own AI-provider API key ("BYO key"); where you do, you are responsible for the cost, availability, and terms of that provider, and we are not liable for that provider's acts, outages, or charges.
5. Scope Authorization and Customer Warranties
This section is critical to offensive-security work. You represent, warrant, and covenant, on a continuing basis, that for every In-Scope Asset:
- You own the asset or are fully authorized by its owner to have it tested, reviewed, exploited, or independently verified as described in the SOW;
- You have obtained all consents, licenses, and internal approvals necessary for us to perform the Services, including from any third-party host, cloud provider, or vendor whose systems or terms may be implicated;
- You will not designate as In-Scope any asset you are not lawfully entitled to authorize, and you will promptly remove from scope anything for which authorization lapses;
- For Proof Engine work, you are entitled to share the third-party report and any related materials you provide, and doing so does not breach any confidentiality or contractual obligation you owe to another party.
Your scope authorization is our permission to act. You acknowledge that offensive-security testing may load, probe, modify, or disrupt In-Scope Assets, and you accept that risk for assets you place in scope. You are solely responsible for the accuracy and completeness of the scope you authorize.
6. Rules of Engagement and Safety
We perform the Services within the agreed scope and Rules of Engagement. Our platform enforces scope technically: the Resident and our tooling are constrained to operate against authorized In-Scope Assets and within the agreed testing windows and constraints, and we design our engagements to avoid intentionally destructive actions unless a specific, written RoE authorizes them.
You agree to provide accurate scope information, functioning access where required, and a responsive technical and escalation contact. If we reasonably believe an activity would exceed scope, breach law, or cause disproportionate harm, we may pause or decline that activity. You acknowledge that testing carries inherent risk and that no methodology can guarantee the absence of unintended effects; we are not liable for consequences arising from assets or conditions you did not accurately disclose.
7. Deliverables, Findings, and License
Subject to your payment of applicable fees, we assign to you ownership of the Deliverables produced specifically for you in an Engagement, excluding our Retained Materials. "Retained Materials" means our platform, the Resident, our engines, tooling, methodologies, techniques, playbooks, generalized know-how, and any pre-existing or independently developed materials — none of which are assigned. We grant you a perpetual, worldwide, non-exclusive, royalty-free license to use any Retained Materials embedded in a Deliverable solely as part of that Deliverable and for your internal security purposes.
We may retain and use anonymized, de-identified learnings, techniques, and statistical or aggregate information derived from Engagements to operate, secure, and improve the Services, provided such use does not identify you or disclose your Confidential Information.
8. Confidentiality
Each party (the "Receiving Party") may receive confidential information of the other (the "Disclosing Party"), including business, technical, and security information, findings, and the existence and details of Engagements. The Receiving Party will use the other's Confidential Information only to perform or receive the Services, protect it with at least reasonable care, and not disclose it except to its personnel and advisors who need it and are bound by comparable obligations.
Confidential Information does not include information that is or becomes public without breach, was rightfully known before disclosure, is independently developed, or is rightfully received from a third party. A party may disclose Confidential Information where required by law, provided it gives reasonable notice (where lawful) and cooperates in seeking protective treatment. Security findings and Deliverables are treated as your Confidential Information. These obligations survive for three (3) years after disclosure, and indefinitely for trade secrets.
9. Data Handling and Privacy
Our collection and processing of personal data is described in our Privacy Policy, which is incorporated by reference. We handle Customer Data only to provide the Services and as permitted by these Terms and the SOW. Where we process personal data on your behalf, we do so under your instructions and applicable data-protection terms. Because the Services are delivered as a managed, SaaS offering, Engagement data, findings, and telemetry are processed on our platform; we do not offer on-premise deployment.
10. Responsible and Coordinated Disclosure
Where an Engagement surfaces a vulnerability affecting a third-party product, dependency, or upstream vendor, the parties will handle it through responsible, coordinated disclosure. We will not publicly disclose a vulnerability affecting your assets without your consent. Where coordinated disclosure to a third party or a CVE authority is appropriate, we will consult with you first and agree the timing, attribution, and content of any disclosure. Nothing in this section requires either party to act unlawfully or to withhold a disclosure required by law.
11. Customer Responsibilities
- Maintain the confidentiality of portal credentials and API keys and promptly notify us of suspected compromise;
- Provide timely, accurate scope, access, and technical contacts, and keep backups of any In-Scope Assets you consider critical;
- Use Deliverables and the Services only for lawful security purposes and not to harm third parties;
- Comply with applicable laws and third-party terms relating to the assets you place in scope;
- Not resell, sublicense, or expose the Services to third parties except as expressly permitted in the SOW.
12. Warranties and Disclaimers
We warrant that we will perform the Services with reasonable skill and care and in a professional manner consistent with industry standards. Except for this express warranty, the Services and Deliverables are provided "as is." To the maximum extent permitted by law, we disclaim all other warranties, express or implied, including merchantability, fitness for a particular purpose, non-infringement, and any warranty that the Services will identify all vulnerabilities, be uninterrupted, or be error-free. Security testing is inherently probabilistic; a finding of no exploited vulnerability is not a guarantee that none exists.
13. Limitation of Liability
To the maximum extent permitted by law, neither party will be liable for any indirect, incidental, special, consequential, exemplary, or punitive damages, or for lost profits, revenue, data, or goodwill, even if advised of the possibility. Except for the Excluded Claims below, each party's total aggregate liability arising out of or related to these Terms will not exceed the fees paid or payable by you for the Engagement or subscription giving rise to the liability in the twelve (12) months preceding the event.
"Excluded Claims" — for which the cap does not apply — are: (a) your breach of the scope-authorization warranties in Section 5; (b) either party's indemnification obligations; (c) a party's breach of confidentiality; and (d) liability that cannot be limited by law. This allocation of risk is a fundamental basis of the bargain between the parties.
14. Indemnification
You will defend, indemnify, and hold us harmless from third-party claims, damages, and reasonable costs arising from: (a) your breach of the scope-authorization warranties in Section 5; (b) your lack of authority over any asset you placed in scope; (c) your unlawful use of the Services or Deliverables; or (d) content or materials you provided to us. We will defend, indemnify, and hold you harmless from third-party claims that the Services, as delivered by us, infringe that third party's intellectual-property rights, excluding claims arising from your scope, materials, or misuse. The indemnifying party's obligations are conditioned on prompt notice, sole control of the defense, and reasonable cooperation.
15. Term and Termination
These Terms apply for as long as any Engagement or subscription is active. Either party may terminate an Engagement or subscription for material breach that remains uncured thirty (30) days after written notice. We may suspend the Services immediately if we reasonably believe continued performance would be unlawful, exceed authorized scope, or cause imminent harm. On termination, you will pay for Services performed and non-cancellable commitments incurred up to the effective date. Sections relating to fees accrued, confidentiality, data handling, deliverables ownership, warranties and disclaimers, limitation of liability, indemnification, and governing law survive termination.
16. Force Majeure
Neither party is liable for failure or delay in performance (other than payment obligations) caused by events beyond its reasonable control, including acts of God, war, civil unrest, labor disputes, governmental action, network or utility failures, and failures of third-party providers or infrastructure. The affected party will use reasonable efforts to mitigate and resume performance.
17. Assignment
Neither party may assign these Terms without the other's prior written consent, except that either party may assign them in full to a successor in connection with a merger, acquisition, or sale of substantially all assets, on notice to the other. Any prohibited assignment is void. These Terms bind and benefit the parties and their permitted successors and assigns.
18. Governing Law and Dispute Resolution
These Terms are governed by the laws of the State of Wyoming, United States, without regard to conflict-of-laws principles. The parties will first attempt in good faith to resolve any dispute through senior-executive discussion. Any dispute not so resolved will be subject to the exclusive jurisdiction and venue of the state and federal courts located in the State of Wyoming, United States, or, where an SOW so specifies, to binding arbitration under the rules stated therein. Nothing prevents either party from seeking injunctive relief to protect its Confidential Information or intellectual property.
19. Entire Agreement
These Terms, together with the applicable SOW, order form, subscription plan, Privacy Policy, and any signed master agreement, constitute the entire agreement between the parties on their subject matter and supersede all prior or contemporaneous understandings. In the event of conflict, the order of precedence is: a signed master agreement, then the SOW, then these Terms, then the Terms of Use. No purchase-order terms or other pre-printed terms have any effect.
20. Changes to these Terms
We may update these Terms from time to time. Material changes will apply to new Engagements and to subscription renewals occurring after the change takes effect; changes will not retroactively alter an active SOW without the parties' agreement. The current version is always available on our website with its effective date. Your continued use of the Services after a change takes effect constitutes acceptance of the updated Terms.
21. Notices and Contact
Legal notices to Vulnary must be in writing and sent to [email protected], and are deemed given on confirmed delivery. Operational notices may be delivered through the portal or to your designated contacts. Questions about these Terms can be directed to [email protected].
Last updated: July 2026