Hard2bit Scanner Terms of Use

Last updated: May 27, 2026.

1. What is Hard2bit Scanner

Hard2bit Scanner is a continuous public security posture auditing tool for Internet-accessible domains. Provided as a SaaS service by Hard2bit S.L. (Spanish CIF B86717147, registered office in Las Rozas de Madrid, operating office at Avenida Juan Caramuel 1, 28919 Leganés, Madrid, Spain). By using this service you accept the conditions described in this document, complementary to our General Terms and Privacy Policy.

2. Nature of the analysis: passive and non-intrusive

All analyses performed by Hard2bit Scanner are strictly passive. The tool:

• Queries exclusively publicly available information from the Internet: DNS records, TLS certificates published in Certificate Transparency Logs, HTTP response headers to standard requests, visible website content, WHOIS records, and public threat intelligence feeds.
• Does not send anomalous traffic nor attempts to actively exploit vulnerabilities.
• Does not generate entries in your logs nor triggers WAF, IDS, or IPS alerts beyond what any browser or standard crawler would generate.
• Does not access private, authenticated, or password-protected resources , nor resources protected by token or IP allowlist.

The analysis is functionally equivalent to the information any person or public service (Google, Shodan in passive mode, etc.) could gather about the domain without special permission.

3. Authorization to scan: user responsibility

The user introducing a domain into the tool declares, under their own responsibility, having legitimate authorization to audit said domain. Typical authorized use cases:

• Corporate domain owned by the user or their organization.
• Domain of a client who has engaged the user for professional auditing services.
• Third-party domains with express written authorization for security analysis.

Although the data queried is technically public, legal responsibility for the analysis always rests with the user who initiates it. Hard2bit S.L. does not and cannot verify the legitimacy of each individual request. Certain jurisdictions consider unauthorized scanning of third-party systems an infringement even when the data queried is public.

Use of the scanner against domains for which the user lacks demonstrable authorization is expressly prohibited, as is any use intended to prepare attacks, conduct unauthorized mass data collection, or evade service usage limits.

4. Analysis limitations

Hard2bit Scanner provides a point-in-time snapshot of public security posture at the moment of analysis. Important limitations:

• Does not replace a professional pentest. A pentest implies active vulnerability analysis by qualified personnel, controlled exploitation to verify real impact, and human validation of each finding. The scanner detects visible public posture, not verified exploitable vulnerabilities.
• Does not detect zero-day vulnerabilities, application logic issues, or internal private configurations.
• Findings may contain false positives or false negatives derived from the passive nature of the analysis or limitations of the external intelligence services queried.
• Results reflect the state of the domain at the moment of analysis. Configuration changes, newly discovered vulnerabilities, or modifications to the external environment (threat intelligence feeds, etc.) may invalidate previous results within hours.
• Some sub-analyses may return partial results or be skipped when the external services queried are temporarily unavailable or have changed their terms. These cases are explicitly indicated in the report.

The user is responsible for validating findings in their operational context and making appropriate remediation decisions. Hard2bit S.L. recommends complementing scanner usage with periodic professional audits for critical environments.

5. Data processed during the analysis

During each analysis, Hard2bit Scanner processes:

• The domain entered by the user.
• The requester's IP (for abuse control, fraud prevention, and forensic activity logging purposes).
• The user's email (only if the user is registered and authenticated), to associate the analysis with their personal history.
• Public information from the analysed domain: DNS records, TLS certificates, HTTP headers, visible content.

Personal data processing is governed by our Privacy Policy. Generated reports are retained for 30 days for registered users (accessible from /account) and automatically deleted thereafter.

6. External services queried during the analysis

To enrich findings, Hard2bit Scanner queries public external services during each analysis. We share only the analysed domain (not the user's personal data) with the following:

• Cert Spotter (sslmate.com) — subdomain discovery via Certificate Transparency.
• Have I Been Pwned (haveibeenpwned.com) — exposure of providers with documented breaches (public endpoint without authentication).
• URLhaus, Feodo Tracker, PhishTank, Google Safe Browsing, Spamhaus DBL/ZEN — threat intelligence feeds.
• crt.sh — additional Certificate Transparency for typosquatting detection.
• GitHub Code Search API — search for domain mentions in public repositories.
• NIST NVD — public known vulnerabilities database.
• Common Crawl — exposure in public datasets used for AI training.

The complete list, updated with each new integration, is internally documented and available upon reasonable request.

7. Limitation of liability

The service is provided "as is". Hard2bit S.L. does not warrant:

• Exhaustive detection of all existing security issues on the analysed domain.
• Absence of errors, false positives, or false negatives in the findings.
• Uninterrupted availability of the service or of the external services queried.
• Suitability of the findings for any specific purpose of the user.

The user assumes responsibility for the operational, technical, or commercial decisions made based on scanner findings. Hard2bit S.L. is not liable for direct or indirect damages, loss of profit, data loss, or consequences arising from use or inability to use the service, except under the mandatory terms of applicable law.

For formal audits with a professional report signed by a certified expert, contact our professional services team at info@hard2bit.com.

8. Modifications to these conditions

Hard2bit S.L. reserves the right to modify these conditions at any time. Modifications will be reflected on this page and in the published version of the General Terms. Continued use of the service after a significant modification implies acceptance of the new conditions.

9. Contact

For any legal, technical, or commercial inquiries about scanner usage, write to:

• General email: info@hard2bit.com
• Privacy and GDPR rights (access, deletion, portability): info@hard2bit.com with subject "GDPR".
• Security bug reports about the scanner itself: info@hard2bit.com with subject "Security disclosure" — we appreciate responsible disclosure.