Terms of Service

1. Service Provider

VulnScan (vulnscan.cscloud.dk) is a vulnerability scanning service provided by:

The platform is powered and hosted by:

2. Service Description

VulnScan is a web-based vulnerability scanning platform that performs automated security assessments of web applications and infrastructure. The service uses industry-standard open-source scanning tools to identify potential security vulnerabilities in targets specified by the user.

The platform provides two types of security assessments:

Vulnerability Scanning

• Automated vulnerability scanning using OWASP ZAP and Nuclei
• Severity-classified findings (Critical, High, Medium, Low, Informational)
• HTML vulnerability reports
• Scan comparison and trend tracking over time (New, Fixed, Unchanged findings)
• Authenticated scanning support (form login, API key, Bearer token, custom headers)

Tracking & Consent Compliance Scanning

The tracking scan module analyzes websites for third-party tracking technologies and evaluates their compliance with GDPR and ePrivacy consent requirements. The scan uses a headless browser to:

• Load the target page and record all network requests and cookies set before any user consent is given
• Detect the consent management platform (CMP) in use (supports Cookie Information, OneTrust, CookieBot, Quantcast, TrustArc, Didomi, Complianz, CookieYes, Klaro, Usercentrics, Termly, Iubenda, and others)
• Simulate clicking "Accept All" on the consent banner and record all new network requests and cookies that fire after consent
• Classify detected trackers by category (analytics, advertising, social media, functional) using a comprehensive domain blocklist
• Flag violations: trackers that activate before the user has given consent, which may breach GDPR Article 5(3) of the ePrivacy Directive

Tracking scan results include comparison tracking (New/Fixed/Unchanged) between scans to monitor whether consent violations have been remediated.

Common Features

• Per-URL scan type selection (Vulnerability, Tracking, or Both)
• Scheduled recurring scans (monthly, quarterly, semi-annual, annual)
• Multi-user, multi-company management
• Credit-based billing (same credit system for both scan types)

PCI ASV-grade detection coverage

In addition to the OWASP ZAP and Nuclei pipeline, every vulnerability scan now runs the following engines in parallel against the target host:

• Full TCP port scan (1-65535) + curated UDP set via Nmap. The UDP set covers RADIUS, Kerberos, DNS, NetBIOS, NFS, NTP, SNMP, RPC, Syslog, TFTP, IPSec, RIP, and other protocols enumerated in the PCI ASV Program Guide.
• Service and version fingerprinting on every open port, then matched against endoflife.date so unsupported (EOL) Apache, OpenSSL, PHP, MySQL, Postgres, Windows Server and 300+ other products are flagged as automatic compliance failures.
• Database service exposure detection — any MySQL / MariaDB / Postgres / MongoDB / Redis / Memcached / Elasticsearch / MSSQL / Cassandra / CouchDB reachable from the public internet is flagged as a PCI DSS Requirement 1.4.4 violation and an automatic compliance failure.
• Comprehensive TLS testing via testssl.sh: SSLv2, SSLv3, TLS 1.0 and TLS 1.1 support, weak cipher suites (RC4, DES, 3DES, NULL, EXPORT, anonymous DH), weak signature algorithms (MD5, SHA-1), short keys, self-signed certificates, hostname mismatches, expired certificates, and the eleven named TLS CVEs: Heartbleed (CVE-2014-0160), POODLE (CVE-2014-3566 + CVE-2014-8730), BEAST (CVE-2011-3389), BREACH (CVE-2013-3587), CRIME (CVE-2012-4929), FREAK (CVE-2015-0204), Logjam (CVE-2015-4000), DROWN (CVE-2016-0800), Sweet32 (CVE-2016-2183), ROBOT (CVE-2017-13099), Lucky13 (CVE-2013-0169), Ticketbleed (CVE-2016-9244).

CVSS v3.1 scoring & PCI automatic-fail rules

Each finding is scored using the Common Vulnerability Scoring System version 3.1 (CVSS v3.1). When the finding has a published CVE, the vector is sourced from the National Vulnerability Database (NVD); the ASV Program Guide v3.2r1 precedence rules apply (v3.1 → v3.0 → v2.0). The PCI Program Guide Table 2 thresholds determine the per-finding compliance status:

• CVSS 7.0–10.0 → High → Fail
• CVSS 4.0–6.9 → Medium → Fail
• CVSS 0.0–3.9 → Low → Pass

Independently of CVSS, the following ASV Program Guide Table 1 conditions are automatic compliance failures: SQL injection, cross-site scripting (XSS), directory traversal, HTTP response splitting / header injection, default or built-in credentials, internet-exposed databases, unrestricted DNS zone transfer, backdoor / rootkit / Trojan presence, end-of-life operating systems or core software, and any acceptance of SSLv2, SSLv3, TLS 1.0 or TLS 1.1.

The four documented exceptions to the CVSS rule are honoured: denial-of-service-only findings (Confidentiality:None and Integrity:None) cannot fail, ASVs may override an NVD score with documented justification, findings missing from NVD are scored by the ASV, and any Table 1 violation overrides CVSS regardless of score.

Reports & deliverables

Every completed vulnerability scan produces three artefacts:

• Attestation of Scan Compliance (PCI Program Guide Appendix A) — the cover sheet with verbatim PCI-mandated customer + ASV attestation text, scan customer information, ASV information including certificate number, scan completion date, 90-day expiration, compliance verdict, and component counts.
• ASV Scan Executive Summary (Appendix B) — component-level pass/fail, per-IP vulnerability listing sorted by descending CVSS, special notes (remote-access software, POS, directory browsing, payment-page scripts, etc.), and full scope tracking (submitted / in-scope / out-of-scope).
• ASV Scan Vulnerability Details (Appendix C) — per-vulnerability CVSS vector, automatic-fail reason if applicable, detection source, evidence, remediation guidance, and the full dispute / exception / compensating-control adjudication record.

Reports are delivered as both HTML (in-app viewer) and PDF (downloadable). The legacy single-page HTML report remains available for backward compatibility with existing customer integrations.

Dispute & exception handling

Per PCI Program Guide v3.x, scan customers may dispute findings in three categories: false positive, compensating control, and exception. Submissions go through the in-app dispute workflow which captures:

• The dispute type and a textual explanation (minimum 10 characters, maximum 4 000).
• One or more evidence files (up to 10 MB each, PDF / image / text / archive formats), each with the chain-of-evidence trio: when, where, and how obtained.
• A quarter stamp (YYYY-Qn) so disputes do not carry forward across quarters — re-attestation is required each quarter as required by the Program Guide.

Disputes are adjudicated by ASV-qualified reviewers from the /admin/disputes queue. Reviewers record their decision (accepted, rejected, or needs-more-information) along with a justification that becomes part of the report. Reviewer names appear on each adjudicated finding per Program Guide §6 to support accountability.

Tamper-evidence sealing & retention

When a scan completes, both the HTML and PDF deliverables are hashed with SHA-256 and the digests are stored in a sealed record alongside the scan completion timestamp. Each seal carries a three-year retention deadline matching ASV Qualification Requirements §4.5.1. A nightly retention sweep removes artefacts past the deadline; the underlying scan database row is preserved so historical credit and billing references stay intact. Customers who require longer retention should download and archive the PDF deliverables before the deadline.

Audit log

The platform maintains an append-only audit log capturing user role and status changes, scan deletions, dispute submissions and adjudications, credit grants and debits, and report downloads. Each event records the actor, source IP (extracted from X-Forwarded-For), user-agent, target object, and a JSON details blob with the event-specific payload. The log is indexed for fast lookup by actor, action, target, customer, and time range.

PCI ASV technical alignment

VulnScan is engineered to meet and exceed the technical requirements of the PCI ASV Program Guide v3.x. The detection engines, CVSS v3.1 scoring, auto-fail rules, Appendix A/B/C report templates, three-state dispute workflow with chain-of-evidence, 90-day scan expiration, three-year retention, immutable audit log, and SHA-256 tamper-evidence sealing are all implemented to the same rules an Approved Scanning Vendor is held to — and the platform extends them with payment-page script integrity (DSS 6.4.3 / 11.6.1) and active-protection interference detection.

VulnScan reports are compliance-adjacent: they give security, audit, and engineering teams the same depth and rigor as a PCI-attested scan, suitable for internal use, executive review, audit preparation, vendor-assurance evidence, and pen-test pairing. They do not replace an externally-attested ASV scan submitted to an acquiring bank or payment brand under PCI DSS Requirement 11.3.2; a customer with that specific submission obligation must still engage a PCI-listed Approved Scanning Vendor for that purpose. For all other uses VulnScan delivers the same technical assurance without the ASV-engagement overhead.

3. User Obligations and Acceptable Use

By using VulnScan, you agree that:

• You will only scan targets (URLs, domains, IP addresses) that you own or have explicit, documented authorization to test.
• You are solely responsible for obtaining proper authorization before initiating any scan.
• You will not use the service to perform unauthorized security testing, denial-of-service attacks, or any activity that violates applicable laws.
• You will not attempt to exploit, reverse-engineer, or tamper with the VulnScan platform itself.
• You are responsible for safeguarding your account credentials and any authentication tokens stored in the platform.

Unauthorized scanning of third-party systems is illegal in most jurisdictions and may result in criminal prosecution. VulnScan and its operators bear no liability for unauthorized use of the service.

4. Disclaimer of Warranties

THE SERVICE IS PROVIDED ON AN "AS IS" AND "AS AVAILABLE" BASIS WITHOUT WARRANTIES OF ANY KIND, WHETHER EXPRESS OR IMPLIED.

In particular, VulnScan does not warrant or guarantee that:

• Completeness: The scans will detect all vulnerabilities present in the target. Automated scanning tools have inherent limitations and cannot replace a comprehensive manual penetration test.
• Accuracy: All findings are accurate. Scan results may contain false positives (reported vulnerabilities that do not actually exist) or false negatives (actual vulnerabilities that are not detected).
• Availability: The service will be available without interruption or error at all times.
• Fitness for purpose: The scan results are suitable for any specific compliance, certification, or regulatory purpose.

Scan results should be reviewed by qualified security professionals before taking action. VulnScan is a tool to assist in vulnerability management, not a substitute for professional security assessment.

5. Limitation of Liability

To the maximum extent permitted by applicable law, neither Dumepro nor Conscient Systems A/S shall be liable for any indirect, incidental, special, consequential, or punitive damages, including but not limited to loss of profits, data, business opportunities, or goodwill, arising from your use of or inability to use the service.

The total aggregate liability for any claims relating to the service shall not exceed the amount you have paid for the service in the twelve (12) months preceding the claim.

6. Credit System and Payments

• Scans are billed using a credit system. Credits are purchased in advance and consumed upon scan completion.
• Scan cost depends on the complexity of the target (number of URLs discovered during spidering): 1 credit (1-50 URLs), 3 credits (51-200), 5 credits (201-500), 8 credits (501+).
• A minimum of 1 credit is reserved at scan start. The final cost is calculated upon scan completion.
• Payments are processed securely via PayPal. All prices are in EUR.
• Purchased credits are non-refundable except at the sole discretion of the service provider.
• Free-tier accounts receive 1 credit per month (capped at 1).

7. Data Handling and Privacy

VulnScan processes the following data:

• Account data: Email address for authentication and communication.
• Scan targets: URLs and domains you submit for scanning.
• Authentication credentials: If provided for authenticated scanning, credentials are encrypted at rest using AES-256-GCM and are only used during the scan execution.
• Scan results: Vulnerability findings and generated reports are stored and accessible to authorized users within your company organization.

The platform is hosted within EU-compliant infrastructure operated by Conscient Systems A/S in Denmark. Data is processed in accordance with applicable data protection regulations, including the EU General Data Protection Regulation (GDPR).

8. Account Management

• Accounts are created via email-based one-time password (OTP) authentication.
• New accounts require administrator approval before access is granted.
• Users may be assigned to one or more company organizations. Access to scans, reports, and credits is scoped to the company organization.
• The service provider reserves the right to deactivate or terminate accounts that violate these terms.

9. Third-Party Technologies

VulnScan incorporates the following open-source scanning technologies. Their use within this service is subject to their respective licenses and terms:

• OWASP ZAP (Zed Attack Proxy) — Open-source web application security scanner. License: Apache License 2.0. zaproxy.org
• Nuclei by ProjectDiscovery — Template-based vulnerability scanner. License: MIT License. github.com/projectdiscovery/nuclei
• Playwright by Microsoft — Browser automation framework used for tracking and consent compliance scanning. Connects to a headless Chromium browser to simulate real user visits, detect consent management platforms, and capture network requests before and after consent. License: Apache License 2.0. playwright.dev
• Browserless — Headless browser-as-a-service providing the Chromium runtime for tracking scans. Runs as a Docker container within the platform infrastructure. License: Various open-source licenses. browserless.io
• ConsentCrawl (inspiration) — The tracking scan module was inspired by the ConsentCrawl project by Dumky de Wilde, which pioneered the approach of checking for marketing/analytics scripts firing before and after consent using a headless browser with a tracking domain blocklist. License: MIT License. github.com/dumkydewilde/consentcrawl
• PayPal — Payment processing. PayPal User Agreement

Scan results are generated by these third-party tools and are provided to you without modification. The accuracy and completeness of results are subject to the capabilities and limitations of these tools.

10. Modifications to Terms

We reserve the right to update these Terms of Service at any time. Material changes will be communicated via the email address associated with your account. Continued use of the service after changes constitutes acceptance of the updated terms.

11. Governing Law and Dispute Resolution

These terms shall be governed by and construed in accordance with the laws of the Socialist Republic of Vietnam.

In the event of any dispute arising from or relating to these terms or the use of the service, the parties agree to resolve the matter through the following process:

1. Negotiation: The parties shall first attempt to resolve the dispute through good-faith direct negotiation within thirty (30) days of written notice of the dispute.
2. Mediation: If negotiation fails, the parties may agree to submit the dispute to commercial mediation by a mutually agreed mediator, conducted in English.
3. Arbitration: If the dispute is not resolved through negotiation or mediation, it shall be referred to and finally resolved by commercial arbitration in accordance with the 2010 Vietnamese Commercial Arbitration Law. The arbitration shall be conducted in English, and the arbitral award shall be final and binding on both parties. Arbitral awards are enforceable internationally under the New York Convention on the Recognition and Enforcement of Foreign Arbitral Awards.
4. Litigation: In the event that arbitration is not applicable or the parties mutually agree to proceed through courts, any litigation shall be subject to the exclusive jurisdiction of the People's Court of Bien Hoa City, Dong Nai Province, Vietnam.

12. Contact

For questions regarding these terms, the service, or your account, please use the in-app support ticket system or contact:

• Service provider: CTY TNHH DUMEPRO — dume.pro
• EU hosting provider: Conscient Systems A/S, CVR DK37807877 — cs1.dk