Terms of Service

These terms describe the Internet Scanning Programme operated by NullRabbit Ltd (company number 16865774, registered in England and Wales) ("we", "us", "our", or "NullRabbit").

These terms do not create a contract between NullRabbit and scanned operators. They are published for transparency and informational purposes only. No contractual relationship, duty of care, or obligation arises between NullRabbit and any operator whose infrastructure is observed by our scanning programme.

This document is intended for operators, system administrators, and security teams whose publicly accessible infrastructure may be observed by our scanning systems. It explains what we do, how we do it, the legal basis on which we operate, and your rights in relation to our activities.

These terms should be read in conjunction with our Scanning Privacy Policy, which details how we process personal data collected during scanning operations.

2.1 What We Do

NullRabbit conducts non-exploitative, non-intrusive network interaction limited to standard protocol handshakes and request-response behaviour required to observe publicly exposed service metadata. Our scanning programme identifies open ports, service banners, TLS configurations, protocol-level metadata, and other information that is freely available to any internet-connected system.

This activity is comparable to, and consistent with, programmes operated by established internet measurement and security research organisations operating globally.

2.2 What We Do Not Do

Our scanning programme does not:

• Attempt to exploit any vulnerability or gain unauthorised access to any system
• Access, modify, copy, or exfiltrate any data stored on scanned systems
• Perform denial-of-service testing or any activity designed to disrupt services
• Attempt to brute-force credentials, authentication mechanisms, or access controls
• Scan private, internal, or non-publicly-routable networks
• Exceed connection rates that would reasonably be expected to cause service degradation
• Inject, upload, or transmit any code or payload to scanned systems
• Intercept, monitor, or capture the content of communications in transit

2.3 Legal Basis for Scanning

Our scanning activities observe only information that is publicly exposed on the internet and freely accessible to any connecting system. We do not circumvent, bypass, or overcome any access control mechanism, security measure, or technical barrier.

Based on current legal interpretation, our activities are not intended to, and we reasonably believe do not, constitute unauthorised access under Section 1 of the Computer Misuse Act 1990, as we do not cause a computer to perform any function to secure access to any programme or data held in any computer where that access is unauthorised. We observe publicly available service responses in the same manner as any legitimate internet client. We do not modify, impair, or obstruct the operation of any computer system (Section 3).

Our scanning activities are consistent with the principles of legitimate security research as recognised by the National Cyber Security Centre (NCSC) and with the standard practices of the internet measurement and security research community.

3.1 Identification

All scanning is conducted from identified IP addresses. We maintain a current list of active scanner IPs at:

• Web: https://nullrabbit.ai/scanning/ips
• API: https://nullrabbit.ai/api/v1/scanners
• DNS TXT record: A TXT record on nullrabbit.ai identifies our scanning programme and links to this policy

We update these records in real time as our scanning infrastructure changes.

3.2 Infrastructure Providers

Our scanning infrastructure is hosted across multiple cloud providers, currently including DigitalOcean and Google Cloud Platform. IP addresses are allocated by these providers and may change as our infrastructure rotates. The authoritative record of current and historical scanner IPs is maintained at the URLs above and in our database.

4.1 Opt-Out

You have the right to request exclusion from our scanning programme at any time. To opt out, email security@nullrabbit.ai with the IP addresses or CIDR ranges you would like excluded.

Opt-out requests are processed as soon as reasonably practicable, typically within 24 hours of receipt. No account or registration is required.

Upon processing an opt-out request, we will add the specified addresses to our exclusion list and cease scanning those addresses. We will confirm processing via email if a contact address is provided.

4.2 Firewall Blocking

You are free to block our scanner IP addresses at your firewall or network perimeter at any time. Our IP list is provided specifically to facilitate this. We recommend also submitting an opt-out request so that we do not waste resources attempting to scan blocked addresses.

4.3 Request Findings

If you would like to know what our scans detected about your infrastructure, you may contact us at security@nullrabbit.ai. We will share findings with verified operators upon reasonable confirmation of authority over the relevant infrastructure.

We reserve the right to determine, acting reasonably, what constitutes sufficient verification of authority over the infrastructure in question.

4.4 Data Subject Rights

To the extent that our scanning activities process your personal data (including IP addresses), you have rights under UK GDPR as detailed in our Scanning Privacy Policy, including the right of access, rectification, erasure, restriction, and objection.

Scan results (including open ports, service versions, TLS metadata, and protocol-level observations) are stored in our secure infrastructure for the purposes described in our Scanning Privacy Policy.

We do not:

• Store any private data, credentials, authentication tokens, or payload content
• Sell, rent, or trade scan data to third parties for their own purposes
• Publish individual scan results that identify specific operators without consent

We may publish aggregated, anonymised research findings derived from scan data. Such publications will not identify individual operators or specific infrastructure without explicit permission.

Where our scanning identifies critical vulnerabilities that pose an immediate risk to operators or their users, we may attempt to notify affected operators through reasonable channels.

Any operator notifications are provided on an 'as-observed' basis, without warranty as to completeness, accuracy, or exploitability, and do not constitute security advice or certification.

Nothing in this section creates an obligation to monitor, re-scan, follow up, or provide ongoing security assessment. Notification is provided in good faith as a courtesy and does not create any obligation, warranty, or duty of care.

We follow coordinated disclosure principles consistent with NCSC guidance and industry best practice.

Our scanning activities are conducted for research, measurement, and defensive security purposes and are not provided as a commercial security service to scanned operators.

Our scanning activities observe publicly available information using standard internet protocols at connection rates designed not to cause service disruption. However:

• We do not warrant that our scanning activities will not interact with your systems in unexpected ways, particularly where non-standard or misconfigured services are present.
• We do not accept liability for any loss, damage, or disruption arising from our scanning activities, except to the extent that such liability cannot be excluded or limited by law.
• Nothing in these terms excludes or limits our liability for death or personal injury caused by our negligence, fraud or fraudulent misrepresentation, or any other liability that cannot be excluded or limited by English law.

Nothing in these terms or in any communications arising from the scanning programme constitutes professional advice on which operators should rely.

If you believe our scanning activities have caused disruption to your systems or you wish to raise a concern, email security@nullrabbit.ai.

We aim to acknowledge complaints within 2 business days and provide a substantive response within 10 business days.

These terms are governed by and construed in accordance with the laws of England and Wales. Any disputes arising from or in connection with our scanning activities shall be subject to the exclusive jurisdiction of the courts of England and Wales.

We may update these terms from time to time. Material changes will be reflected in the version number and date at the top of this document. The current version is always available at https://nullrabbit.ai/scanning/terms.