Privacy Policy

NullRabbit Ltd (company number 16865774, registered in England and Wales) is the data controller for personal data processed through our Internet Scanning Programme.

Contact: security@nullrabbit.ai

2.1 Scan Data

When we scan publicly accessible infrastructure, we collect:

• IP addresses of scanned hosts
• Open port numbers and transport protocols
• Service banners and version information returned by services
• TLS/SSL certificate details (issuer, validity, cipher suites, protocol versions)
• Protocol-level metadata (TCP timestamps, window sizes, TTL values)
• HTTP response headers (where web services are present)
• DNS records associated with scanned IP addresses
• Timestamps of scan activity

While IP addresses may constitute personal data under UK GDPR, particularly where they can be linked to an identifiable natural person, the majority of IP addresses processed through our scanning programme relate to servers, validators, or organisational infrastructure rather than individuals. Where IP addresses may relate to individuals, they are processed solely in accordance with this policy and subject to strict minimisation and retention controls.

2.2 Opt-Out Data

When you submit an opt-out request, we collect:

• IP addresses or CIDR ranges you request to be excluded
• Contact email address (if provided voluntarily)
• Organisation name (if provided voluntarily)
• Timestamp of opt-out request

2.3 Transparency Page Visitors

When you visit our scanning transparency page, we collect standard web server logs (IP address, user agent, timestamp, pages visited). We do not use tracking cookies or third-party analytics on the transparency page.

3.1 Legitimate Interest (Article 6(1)(f) UK GDPR)

Our primary lawful basis for processing scan data is legitimate interest. We have conducted a Legitimate Interest Assessment (LIA) which concludes:

Purpose

To identify vulnerabilities in publicly exposed internet infrastructure, particularly within decentralised network and blockchain validator ecosystems, in order to improve the security posture of the internet and to develop defensive security products and services.

Necessity

Scanning publicly exposed infrastructure is the only practical means of assessing the security posture of internet-facing services at scale. Operators frequently have services exposed that they are unaware of. Identifying these exposures before malicious actors exploit them serves a clear security benefit.

Balancing

We have balanced our legitimate interest against the rights and freedoms of data subjects:

• We collect only publicly available information that is already accessible to any internet-connected system, including malicious actors
• Our scanning is non-intrusive and does not attempt to access private data or exploit vulnerabilities
• We provide a clear, accessible opt-out mechanism that is processed as soon as reasonably practicable
• We maintain full transparency about our activities, including publishing scanner IP addresses and providing an API for programmatic identification and exclusion
• The data we collect (IP addresses, port numbers, service banners) represents minimal personal data with low sensitivity
• The security benefit to operators and the broader internet ecosystem is substantial, as evidenced by our research findings on validator infrastructure vulnerabilities

Operators of internet-facing infrastructure cannot reasonably expect that services intentionally exposed to the public internet will not be observed, indexed, or analysed by third parties, including security researchers and malicious actors. Our processing does not exceed such reasonable expectations.

Our opt-out mechanism constitutes the primary and practical means by which data subjects may exercise their right to object under Article 21 UK GDPR in relation to scanning activities.

3.2 Consent (Opt-Out Data)

Where you voluntarily provide contact information with an opt-out request, we process that data on the basis of consent to manage your exclusion from our scanning programme.

We use scan data for the following purposes:

• Security research: Identifying vulnerabilities and security weaknesses in publicly exposed infrastructure
• Product development: Developing and improving our autonomous defence products and services
• Aggregate analysis: Producing anonymised, aggregate research on the security posture of internet infrastructure and decentralised networks
• Operator notification: Where critical vulnerabilities are identified, contacting operators to alert them (responsible disclosure)
• Transparency: Maintaining our public scanner IP list and opt-out records

Any operator notifications are provided on an 'as-observed' basis, without warranty as to completeness, accuracy, or exploitability, and do not constitute security advice or certification.

We do not:

• Sell, rent, or trade personal data to third parties for their own purposes
• Use scan data for advertising or marketing
• Publish scan results that identify individual operators without consent
• Process scan data for any purpose incompatible with those listed above

We may share data in the following limited circumstances:

• Infrastructure providers: Our scanning infrastructure is hosted on cloud platforms (currently DigitalOcean and Google Cloud Platform). These providers process data as sub-processors under appropriate contractual terms.
• Responsible disclosure: Where we identify critical vulnerabilities, we may share relevant findings with affected operators, CERTs, or coordinating bodies consistent with responsible disclosure principles.
• Aggregate research: We may publish anonymised, aggregated findings. Such publications will not identify individual operators or specific infrastructure.
• Legal requirements: We may disclose data where required by law, regulation, legal process, or enforceable governmental request.

We retain data for the following periods:

• Scan data: 12 months from date of collection, or as necessary for ongoing research. After this period, data is either anonymised or deleted.
• Historical scanner IPs: Retained indefinitely on our transparency page as part of our commitment to openness about our scanning activities.
• Opt-out records: Retained for as long as the opt-out is in effect, to prevent inadvertent re-scanning.
• Web server logs: 90 days.

Retention periods represent maximum limits. Data may be deleted or anonymised earlier where no longer required for its stated purpose.

We implement appropriate technical and organisational measures to protect personal data, including:

• Encryption of data in transit (TLS) and at rest
• Access controls limiting data access to authorised personnel
• Database security measures including authentication, network-level access controls, and regular patching
• Monitoring and logging of access to scan data
• Regular review of security measures

Our scanning infrastructure operates across multiple cloud regions. Where scan data is processed outside the United Kingdom, we ensure appropriate safeguards are in place in accordance with UK GDPR, including:

• Standard Contractual Clauses (SCCs) with cloud infrastructure providers
• Adequacy decisions where applicable

Where required, we conduct Transfer Impact Assessments to evaluate the legal and practical risks associated with international transfers and implement supplementary safeguards as appropriate.

Under UK GDPR, you have the following rights in relation to personal data we process about you:

• Right of access (Article 15): You may request a copy of the personal data we hold about you.
• Right to rectification (Article 16): You may request correction of inaccurate personal data.
• Right to erasure (Article 17): You may request deletion of your personal data, subject to legal retention requirements.
• Right to restriction (Article 18): You may request restriction of processing in certain circumstances.
• Right to object (Article 21): You may object to processing based on legitimate interest. Our opt-out mechanism constitutes the primary and practical means of exercising this right for scanning activities.
• Right to data portability (Article 20): Where applicable, you may request your data in a structured, commonly used, machine-readable format.

To exercise any of these rights, contact us at security@nullrabbit.ai. We will respond to requests within one month of receipt, as required by UK GDPR.

If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

• Website: https://ico.org.uk
• Telephone: 0303 123 1113

Our scanning transparency page does not use tracking cookies, third-party analytics, or any form of cross-site tracking. We use only essential, first-party cookies necessary for the operation of the opt-out mechanism and IP lookup functionality.

Our scanning programme is directed at internet infrastructure, not individuals. We do not knowingly collect or process personal data of children under 13. If you believe we have inadvertently processed such data, please contact us immediately.

We may update this privacy policy from time to time. Material changes will be reflected in the version number and date at the top of this document. The current version is always available at https://nullrabbit.ai/scanning/privacy.