Terms of Service
Effective date: June 2026
Services and Eligibility
Expose Security Research provides security research, vulnerability documentation, responsible disclosure support, and remediation advisory services for organizations and authorized representatives. Services are intended for business, institutional, and professional use only.
Responsible Disclosure
Security findings are handled through responsible disclosure. Initial safety notification to an affected organization is not conditioned on payment. Paid services cover professional documentation, advisory time, remediation support, and report preparation; they are not payment for silence, delay, or non-disclosure.
Authorized Engagements
Active testing is performed only with documented authorization from the system owner or an authorized representative. Passive observation of publicly accessible systems may be conducted for good-faith responsible disclosure, but Expose Security Research does not access private systems, bypass authentication, or test third-party systems without written authorization.
Client Responsibilities
Client must provide accurate contact details, confirm authority over all scoped systems, identify third-party or vendor-managed assets, maintain backups, provide emergency contacts, and implement fixes at Client's own discretion. Client is responsible for obtaining any required third-party permissions before testing begins.
Payment Terms
Fees are quoted and payable in USD unless a written proposal states otherwise. Invoices, due dates, taxes, and payment methods are governed by the applicable proposal or invoice. Unless required by law or agreed in writing, paid report fees are non-refundable after delivery of the report or substantial performance of the service.
Reports and License
Reports are licensed to Client for internal security, legal, insurance, audit, and remediation use. Client may share reports with employees, counsel, insurers, auditors, hosting providers, and remediation vendors who need access and are bound by confidentiality. Reports may not be sold, publicly published, redistributed, or used for marketing without written consent from Expose Security Research.
Intellectual Property
All research methodologies, workflows, tools, templates, scoring methods, and processes used by Expose Security Research remain the exclusive property of Expose Security Research or its operators. No rights are transferred except the limited report license stated in these Terms or a written engagement agreement.
Confidentiality
Non-public reports, technical evidence, client communications, credentials, and engagement details are confidential. Confidentiality does not apply to information that is already public, independently developed without confidential information, received lawfully from a third party, required to be disclosed by law, or disclosed under the responsible disclosure policy after private notice and a reasonable disclosure window.
Public Listings
Public disclosure registry and blacklist pages publish status-level information only, such as organization name, domain, finding category, severity, notice date, deadline status, and resolution status. Expose Security Research does not publish credentials, private user data, exploit-ready instructions, or private report contents. Organizations may request correction, dispute, or removal review by contacting security@exposesecurity.online.
Data Protection
Expose Security Research follows data protection principles including purpose limitation, data minimization, storage limitation, integrity, confidentiality, and accountability where applicable. Personal data encountered during research is minimized and handled only as necessary to verify, document, remediate, or lawfully disclose a finding. Additional details are provided in the Privacy Policy.
No Warranty
Services and reports are provided using professional judgment, but no assessment can guarantee complete security, compliance, uninterrupted service, or discovery of every vulnerability. Findings are based on the scope, timing, access, and evidence available during the engagement.
Limitation of Liability
To the maximum extent permitted by law, Expose Security Research is not liable for indirect, incidental, special, consequential, punitive, or lost-profit damages. Aggregate liability for a paid engagement is limited to the fees paid for that engagement during the six months before the claim, except where such limitation is not permitted by law.
Indemnification
Client agrees to indemnify and hold harmless Expose Security Research, its operators, contractors, and affiliates from claims, damages, losses, liabilities, and expenses arising from Client's lack of authority, inaccurate scope information, pre-existing vulnerabilities, failure to implement recommended fixes, third-party claims related to unauthorized systems, or unauthorized use or publication of research findings.
Governing Law
Unless a signed engagement agreement states otherwise, these Terms are governed by the laws of the State of Delaware, United States, without regard to conflict-of-law rules. The parties will first attempt to resolve disputes through good-faith negotiation for 30 days. If unresolved, either party may pursue binding arbitration in English under the AAA Commercial Arbitration Rules, with the seat of arbitration in Delaware, except that either party may seek urgent injunctive or equitable relief from a court of competent jurisdiction.
Force Majeure
Neither party is liable for delay or failure to perform caused by circumstances beyond reasonable control, including outages, provider failures, natural events, labor disruptions, war, government action, or widespread internet or infrastructure failures.
Changes
Expose Security Research may update these Terms from time to time. Material changes apply prospectively and do not change an already signed engagement agreement unless the parties agree in writing.