Acceptable Use Policy
Last updated: 8 June 2026
Pwnkemon is a security-testing tool. Used responsibly it's a force multiplier; used carelessly or maliciously it's a criminal offence. This Policy spells out what is and isn't allowed.
You may only scan targets you have permission to test
By verifying a target through our DNS or HTTP challenge, you represent and warrant that:
- you own the target, or
- you have explicit, written authorisation from the owner to perform security testing on it;
- that authorisation specifically covers the kind of automated active scanning Pwnkemon performs (port discovery, service fingerprinting, HTTP probing, CVE matching, etc.);
- that authorisation has not been withdrawn and remains valid at the time of every scan you run.
Unauthorised access to a computer system is a criminal offence in most jurisdictions. In the UK specifically, the Computer Misuse Act 1990 criminalises unauthorised access (s.1), unauthorised modification (s.3), and impairing operation (s.3ZA). Comparable laws exist in the US (Computer Fraud and Abuse Act), the EU (Directive 2013/40/EU), and elsewhere.
You are solely responsible for ensuring you have authority to scan any target you submit. Pwnkemon is not your legal advisor and our target-verification flow is a technical control, not a substitute for proper authorisation.
Prohibited uses
You must not use the Service to:
- scan targets you don't own or have express written permission to test;
- circumvent any access control or rate-limit on the Service;
- conduct denial-of-service attacks or otherwise degrade availability;
- scan critical national infrastructure, government systems, or financial-market systems without explicit written contract for such work;
- exfiltrate or modify data on the target during scanning;
- use the Service to develop or distribute malware;
- resell access to the Service without a written reseller agreement;
- share API tokens or credentials with anyone outside your organisation;
- attempt to reverse-engineer the Pwnkemon agent, scanner primitives, or related infrastructure;
- use the Service to violate any applicable law or third-party right.
Out-of-scope targets even with your own authorisation
Some categories of target are sensitive enough that we will not scan them even if you claim authorisation. These include:
- major cloud-platform shared services (AWS, Azure, GCP, etc.) where you do not own the underlying account;
- third-party SaaS products you are merely a customer of;
- academic institutions, hospitals, emergency services, and government domains, unless you contact us in advance with proof of engagement;
- top-50 by traffic websites (large-scale scanning is independently disruptive even when "authorised").
If your scan target falls into one of these categories, contact us before scanning so we can document the engagement.
Reporting violations
If you become aware of a Pwnkemon scan against a system you own and you did not authorise it, please contact [email protected] with:
- the target domain or IP affected;
- timestamps of the suspected activity (UTC);
- any source IPs you have logged.
We will investigate immediately, suspend the offending account pending review, and cooperate with law-enforcement requests with appropriate legal process.
Enforcement
Breach of this Policy may result in:
- immediate suspension or termination of your account, without refund;
- forfeiture of pending scans and reports;
- retention of activity logs for use in legal proceedings;
- referral to law enforcement.
Changes
We may update this Policy as our service evolves. Continued use of the Service after a change constitutes acceptance.
Contact
Questions about this Policy: [email protected]. Report abuse: [email protected].
This Policy is a working baseline. Specific clauses (in particular the prohibited-uses and out-of-scope lists) will be refined as we onboard more customers and consult with security-law counsel.