Terms of Service

Plain-English summary

• The scanner is free, public, and best-effort. We don't promise uptime, scan speed, or that any particular finding is correct.
• Only submit repositories that are already public and that you own or are authorised to test. Don't use socbox to attack code you scanned, and don't use it to recon third parties.
• We don't claim ownership of the code you submit or the findings we produce. You keep all rights to your code; the scan report is yours to use, share, or ignore.
• We can refuse or remove a scan if it's used to abuse the service, target third parties, or violate the law.
• Signed-in tiers (Solo free, Pro, Pro Max, Team) are coming soon. They're planned to layer on private-repo scanning, scheduled scans, webhook delivery, and — for Team — SSO and audit streaming. Quotas and the cancellation policy will be documented when those tiers launch; see the section below.

1. The agreement

These Terms are between you and socbox (“we”, “us”). They govern your access to the public scanner at socbox.cloud, including the submission form, the public scan permalinks, the recent-scans feed, and any related API or email.

If you're using the service on behalf of an organisation, you confirm you're authorised to bind it to these Terms.

2. Acceptable use

You may use the scanner to:

• Submit public Git repository URLs (GitHub, GitLab, Codeberg, Gitea, or compatible hosts) that you own or are authorised to test for security issues.
• Read, share, and embed the public permalink we generate for your scan.
• Subscribe an email address to receive a one-shot notification when your scan completes.

You may not use the scanner to:

• Scan a repository you don't own and aren't licensed or otherwise authorised to test. Public visibility is not the same as permission to test.
• Use scan results as a roadmap to attack the scanned codebase, its operator, or anyone running it in production.
• Submit the same repository repeatedly, or submit repositories you don't need scanned, with the effect of causing load on the source host (GitHub, GitLab, Codeberg, Gitea) or on socbox. Don't use the scanner as a denial-of-service relay against third-party Git hosts.
• Evade or attempt to evade our rate limits, abuse detections, or per-IP throttles.
• Submit private, copyrighted, or otherwise non-public material via mirroring tricks, redirect chains, or other workarounds.
• Use the scanner to violate any applicable law, including computer-misuse, export-control, and anti-spam laws.

We may detect, log, throttle, or block any submission that looks like it violates this section, with or without notice.

3. Service level (or lack of one)

The public scanner is provided best-effort, free of charge, with no service-level commitment. We don't guarantee:

• That the scanner is available at any given moment.
• That any individual scan will complete, complete quickly, or complete at all.
• That findings are complete, accurate, or actionable. The pipeline runs twelve open-source tools; tools have bugs, false positives, and false negatives. Use findings as a starting point, not a verdict.
• That any scan permalink will remain reachable indefinitely. We intend to keep the public corpus around, but we reserve the right to remove individual scans (see section 5).

4. Accounts and paid tiers

The public scanner does not require an account. You can optionally provide an email address to receive a one-shot notification when your scan finishes; that email is handled under the privacy policy.

Signed-in tiers — Solo (free, account required), Pro, Pro Max, and Team — are in development and coming soon. They're planned to add private-repo scanning, scheduled scans, webhook delivery, SSO, and audit-log export, with paid tiers billed through Stripe and self-service cancellation. The tier-specific terms (scan and webhook quotas, any over-quota metering, SSO requirements, team minimums, and cancellation behaviour) will be documented when those tiers launch. Until then, this document covers use of the free public scanner.

5. Your code, our findings

We don't claim ownership of any repository you submit. You keep every right you had in your code before the scan.

The scan report itself — the list of findings, the risk score, the SBOM, and the permalink page — is generated by us from public code. You may share, embed, or reuse it freely. We may also reference it: scans submitted to the public scanner are public by design, get a permalink, and appear in the recent-scans feed and our sitemap.

If a scan permalink contains material you have a legal right to have removed (DMCA, doxxing, leaked secrets you need rotated rather than indexed, court order), see the abuse reporting page. We respond to valid requests.

6. Suspension and termination

We may decline a submission, throttle your IP range, hide a permalink from the public feed, or take down a scan if it appears to violate section 2, infringes a third party's rights, exposes someone to harm, or is required to be removed by law.

For the rare case where we ban a person or an IP range from the service, we'll explain why on request to abuse@socbox.cloud.

7. Disclaimer of warranties

The service is provided “as is” and “as available”, with all faults and without warranty of any kind, express or implied. We disclaim, to the maximum extent permitted by law, all warranties of merchantability, fitness for a particular purpose, accuracy, non-infringement, and quiet enjoyment.

Findings are not security advice. Acting on a finding (or failing to act on a missing one) is your decision and your risk.

8. Limitation of liability

To the maximum extent permitted by law, we will not be liable to you for any indirect, incidental, consequential, special, or punitive damages arising out of or related to the service — including lost profits, lost data, or business interruption — even if we've been told such damages were possible.

For the free public scanner, our aggregate liability to you for any direct damages is capped at one hundred US dollars (USD 100).

9. Indemnity

You agree to indemnify and hold us harmless from any claim brought by a third party against us that arises out of your use of the scanner in violation of section 2 — for example, scanning a repository you weren't authorised to test, or using a scan to attack a third party's production system.

10. Governing law

These Terms are governed by the laws of [jurisdiction to be filled in by the operator before launch], without regard to its conflict-of-laws rules. Any dispute that can't be resolved by direct negotiation will be brought in the courts of that jurisdiction. Nothing in this section removes a consumer right that applies to you under your local law.

11. Changes

We may update these Terms. When we do, we'll change the “last updated” date at the top of the page. If the change is material we'll also note it on the home page or in the recent-scans feed for at least thirty days. Your continued use of the scanner after the change means you accept the new Terms.

12. Contact

• General / legal: legal@socbox.cloud
• Abuse + takedown: /abuse (or abuse@socbox.cloud)
• Security vulnerabilities in socbox itself: /security (or security@socbox.cloud)