Responsible Use & Anti-Misuse Policy

Last Updated: August 12, 2025

At vPiper (a Vulcure project) we are committed to promoting the safe, ethical and lawful use of our CI/CD security scanning tool. This Responsible Use & Anti-Misuse Policy explains the intended purpose of vPiper, prohibited activities, reporting guidance, and enforcement measures. By downloading, installing, or using vPiper you agree to comply with this policy.

1. Purpose of vPiper

vPiper is intended only for legitimate security testing in environments where you have authorization. Typical legitimate uses include:

• Scanning code repositories, pipelines and CI/CD configurations that you own or explicitly control.
• Testing systems and pipelines where you have written permission from the owner (for example, pentests or bug bounty tasks with clear authorization).
• Educational, research, and lab environments configured for learning and experimentation.

2. Prohibited Activities

You must never use vPiper for:

• Unauthorized scanning of systems, repositories, pipelines or infrastructure you do not own or do not have explicit permission to test.
• Any activity intended to gain unauthorized access to systems, data, or credentials.
• Malicious acts such as data theft, planting backdoors, disrupting systems, or otherwise exploiting vulnerabilities for harm.
• Bypassing, disabling, or tampering with security controls to evade detection.
• Using vPiper in violation of any applicable local, national, or international laws.

3. Legal Responsibilities & Liability

You are solely responsible for how you use vPiper. The developers, maintainers, and distributors of vPiper (Vulcure) are not responsible for any illegal or unethical actions taken by users. Unauthorized or abusive use of security tools may violate laws such as the Computer Fraud and Abuse Act (CFAA), the General Data Protection Regulation (GDPR), and other cybercrime statutes.

4. Safe Defaults & Implementation Notes

vPiper is designed with safety in mind. Recommended best practices:

• Run scans locally (CLI) where possible and avoid uploading scan results to public or third-party services without consent.
• Do not include or store production secrets in test repositories used for public demos.
• Keep the tool in read-only scanning mode — vPiper only reports findings and should not perform automated remediation unless explicitly enabled and authorized.

5. Reporting Security Issues (Responsible Disclosure)

If you discover a vulnerability in any third-party system while using vPiper, follow responsible disclosure best practices:

1. Report the issue privately to the system owner or their security contact with clear, actionable details.
2. Allow a reasonable period for the owner to investigate and remediate before making any public disclosure.
3. If you find a vulnerability in vPiper itself, please report it to us via Contact so we can address it promptly.

6. Monitoring & Abuse Handling

To protect the community and the service, we may monitor usage patterns for abuse and may take action in response to detected misuse. Actions may include:

• Temporarily or permanently revoking access to hosted services or APIs.
• Restricting or rate-limiting automated scanning to prevent abuse.
• Cooperating with legal authorities when required for investigations.

7. Enforcement & Penalties

Violations of this policy may lead to removal of access to vPiper resources, reporting to relevant authorities, and other legal actions as appropriate. We reserve the right to pursue remedies for misuse to the fullest extent permitted by law.

8. Ethical Use Commitment

By using vPiper you agree to:

• Operate within legal and ethical boundaries.
• Protect sensitive data and respect privacy.
• Use findings to strengthen security, not to exploit it.
• Seek explicit written authorization for any testing of systems you do not own.

9. Questions & Contact

If you are unsure whether your planned use of vPiper is permitted, please contact us before proceeding. For security reporting (vPiper vulnerabilities), include steps to reproduce, expected vs actual behavior, and any PoC details in a private message to our team.

Reminder: If you are in doubt, do not proceed without explicit written authorization.

---

© 2025 Vulcure. This policy is intended to protect users, operators, and the broader community. We may update this policy periodically; the "Last Updated" date above reflects the current version.