/legal/aup
AUP
Last updated: 2026-04-25
This Acceptable Use Policy (AUP) defines what is permitted and prohibited in the context of intrus.io's contracted services. It extends the Terms of Service and the specific contract of each engagement. Violations may result in immediate suspension, termination, and legal liability.
1. Explicit authorization is mandatory
All pentest, red team, or related activity requires a signed Authorization to Test letter by an authorized client representative, specifying targets, window, and scope.
It is STRICTLY PROHIBITED to request from intrus.io any attack, test, scan, or offensive action against assets NOT owned or controlled by the contracting client. Authorization fraud attempts are reported to competent authorities (Brazil's Law 12.737/2012 — Carolina Dieckmann; equivalents in other jurisdictions).
2. Misuse prohibited
Delivered technical reports may NOT be used to: (a) attack unauthorized third parties; (b) commercially resell or redistribute; (c) be used as evidence in litigation without prior intrus.io consent.
Using the contractual relationship with intrus.io for unlawful purposes is prohibited, including money laundering, sanctions evasion, unauthorized industrial espionage, or intimidation of journalists/dissidents.
3. Technical limits
We do not perform tests that may cause physical harm, bodily injury, or death (e.g., direct attacks on healthcare systems without mirror environments, in-use clinical medical equipment, in-production air traffic control systems).
We do not perform social engineering involving blackmail, extortion, public authority impersonation, or unlawful acts in applicable jurisdictions.
For critical OT/SCADA environments, we require a homologation environment or prior validation by the client's operations engineering.
4. Handling of 0-day vulnerabilities
Novel vulnerabilities discovered in third-party products/systems during engagement are handled per Coordinated Vulnerability Disclosure (CVD): client notification, then notice to the affected vendor with a reasonable remediation window (90 days standard), then responsible disclosure.
We do not commercialize exploits or pass them to vulnerability brokers.
5. Post-contract confidentiality
After engagement closure, sensitive client information is retained for a maximum of 90 days and then deleted. Destruction certificate is issued upon request.
Non-disclosure agreements (NDAs) remain in force for the contracted term, even after closure.
6. Violation reporting
Suspected AUP violations by intrus.io staff or clients may be reported confidentially to contato@intrusioncyber.com.
For specific questions about this document, email contato@intrusioncyber.com.