Dr. Deploy
Start −50%
Pricing Open Install Changelog Source on GitHub Sign in
Acceptable Use Policy

Acceptable Use Policy

Effective May 13, 2026

Dr.Deploy is a security & quality scanner. Used right, it tells you about problems on sites you own. Used wrong, it's a vulnerability scanner pointed at someone else's infrastructure — which is illegal in most jurisdictions. This policy is the line.

What you may scan

  • Sites you own.
  • Sites where you have explicit written authorization from the owner to perform automated security scans (a "permission-to-scan" letter, a bug-bounty scope, etc.).
  • Sites operated by an organization where you are a current employee with security responsibilities AND your role grants you the authority to commission scans.

What you may NOT scan

  • Sites you do not own and where you don't have explicit authorization.
  • Government, healthcare, financial-institution, or critical-infrastructure sites you don't directly operate, regardless of your motivation.
  • Bug-bounty targets where the program scope explicitly excludes automated scanning.
  • Sites using the service to test other sites without separate authorization for each.

Adding a site to Dr.Deploy is your representation that you have authority to scan it. We require ownership verification (DNS TXT record or /.well-known file) before any scans run. Unverified sites can be added to your account but never scanned.

What our scanner does + does not do

  • Does: HTTP/HTTPS GET to the URL, parse HTML + linked JavaScript bundles, regex-match for known leaked-secret patterns, check for common exposed paths (.env, .git/config), check meta/og/canonical tags. Operates as a polite crawler with reasonable rate limits.
  • Does NOT: brute-force passwords, port-scan, exploit vulnerabilities, fingerprint software for vulnerability lookup, attempt SQL injection / XSS payloads, attempt to access authenticated areas, deliberately trigger errors. We're a passive-read scanner.

If you need an active pen-test or vulnerability scanner, this isn't that product. Use a dedicated tool with explicit authorization.

When we find a real leak on your site

The whole point. We tell you in the dashboard, send you an email, and offer a public report URL you can share with collaborators. We do not:

  • Test the leaked credential against the issuing service (we don't try the OpenAI key against OpenAI's API, etc.). The leak detection is purely pattern-based.
  • Post the leak publicly (the public-report URL is a long random token; it's only public if you share the URL).
  • Sell or share the finding with anyone outside your account.

When we find a leak on someone ELSE's site

If a Dr.Deploy customer's scan inadvertently surfaces what looks like a third party's leaked credential (e.g., the customer is a freelance dev whose client's app embeds another vendor's keys), we'll tell the customer it was found and recommend they either remove the offending content or coordinate disclosure with the vendor. We don't notify the third party directly, and we don't pursue independent disclosure. This is a tool for the operator of the site, not a public vulnerability researcher.

Free tier eligibility

The free tier is for non-commercial or open source projects, up to 3 sites per workspace. "Non-commercial" means the site is not generating revenue and is not part of a venture you're paid to operate. "Open source" means the source code is publicly available under an OSI-approved license. If your usage no longer fits either definition (you start charging users, raise a round, ship a closed-source product), upgrade to a paid tier. We don't auto-detect this — we trust you to make the call honestly.

We reserve the right to ask for proof of eligibility (a link to the public repo, a quick note about the project) if a free-tier workspace looks commercial in scale. We won't suspend silently; if we have a question, we'll email and give you a week to respond before any change.

Rate limits + abuse

  • Free tier (non-commercial / open source): up to 3 sites, daily safety-net scan + manual scan up to 5×/hour.
  • Paid tiers: 3-10 sites depending on tier (Monthly / Yearly / Lifetime); deploy-webhook scans + daily safety-net + manual unlimited.
  • Behavior we suspend accounts for: scans that obviously aren't yours, attempts to weaponize the public-report URLs to dox sites, sustained API abuse, unpaid invoice fraud (signing up multiple accounts to evade a chargeback dispute, etc.), and using the free tier for commercial projects after a written eligibility check.

Reporting abuse

If you believe someone is using Dr.Deploy to scan a site they don't own (yours, for example): email [email protected] with the URL pattern + any evidence. We respond to legitimate reports within 48h and pull the offending account if confirmed.

Changes

We may update this AUP without prior notice if a new abuse pattern emerges that needs immediate addressing. Material expansions of restrictions get a 14-day email notice.