What we scan, what tools we use, how we handle your data, and how to reach us if you find something on our end. No legal smoke screens — just plain language.
Required Before Any Scan By requesting a free scan or any paid engagement, you confirm that you own or have explicit written authorization to authorize security testing on the systems, domains, and IP addresses you provide. Unauthorized scanning is illegal. Nullgrave does not scan systems without documented owner consent.
Every Nullgrave engagement — free initial scan, one-time assessment, or ongoing retainer — requires the client to confirm authorization before scanning begins. This is non-negotiable and is captured as part of our intake process.
Specifically, by submitting a scan request you represent and warrant that:
For internal LAN scanning (available in the Operative tier), a lightweight RoboShadow agent is deployed inside your network. Installation requires the client to execute the agent on a machine they control. Nullgrave never requests credentials, remote access, or admin rights beyond what the agent setup requires.
Legal Agreements Control This page describes our general practices. Formal engagements are governed by a signed Master Services Agreement (MSA) and Authorization Letter, which contain legally binding terms. In the event of any conflict, those signed agreements take precedence.
Nullgrave believes in transparency about the tools used in every engagement. Below is a high-level disclosure of the primary platforms and software used during scanning and advisory work. Specific configurations, detection signatures, and operational methodology are kept confidential as part of normal security practice.
Cloud-managed vulnerability scanning platform. Handles both external attack surface scanning and internal LAN scanning via lightweight agent. Provides CVE correlation, asset inventory, and Cyber Heal remediation guidance.
External & InternalFindings are correlated against the MITRE CVE database and CVSS scoring system. Prioritization is based on CVSS severity, public exploit availability, and relevance to your specific environment.
Threat IntelligenceFor clients on Microsoft 365 or Azure Active Directory, MFA auditing and identity posture review is performed using Microsoft's native tooling and admin portal access provided by the client.
Operative Tier+Findings reports are produced as plain-language PDF documents. No third-party report generation platforms are used for client data. Reports are generated directly and shared via encrypted delivery.
All TiersAdditional tools may be used for specific engagements (e.g., compliance framework mapping, SSL/TLS analysis). Any tool that involves data transmission to a third-party service will be disclosed to the client prior to use.
Nullgrave is a one-engineer operation. There is no sales team, no analytics platform sharing your data, no account management layer. What you share stays between you and the engineer working your engagement.
What We Collect Scan targets (domains, IPs, hostnames), contact information you provide, scan output (findings reports, asset lists), and engagement notes. We do not collect credentials, payment card data, or personal end-user data from your systems.
HIPAA Clients For clients that are Covered Entities or Business Associates under HIPAA, we will sign a separate Business Associate Agreement (BAA) before any Protected Health Information (PHI) is processed. Contact us to initiate a BAA.
To request deletion of your data, clarify what is held, or ask any data-related question, email contact@nullgrave.com with the subject line "Data Request." We will respond within 5 business days.
If you discover a security vulnerability in nullgrave.com or any Nullgrave-operated infrastructure, please report it responsibly. We appreciate the community's role in keeping the web safer and will respond promptly to all legitimate reports.
Email contact@nullgrave.com with subject line "[Security] Responsible Disclosure." Include a description of the vulnerability, steps to reproduce, and any proof-of-concept. Do not publish or share the finding publicly before we've had a chance to respond.
We will acknowledge your report within 48 hours and provide a timeline for investigation. For critical vulnerabilities, we aim to have a fix or mitigation in place within 7 days. We'll keep you updated throughout.
We ask for a minimum 30-day embargo from your report date before public disclosure. Once the issue is resolved, we're happy to credit you publicly by name or handle if you'd like — just let us know in your report.
Good-faith security research that follows these guidelines will not result in legal action from Nullgrave. We won't pursue claims against researchers who discover and report vulnerabilities responsibly. This is a promise, not just policy.
Out of Scope Social engineering attacks, physical attacks against our infrastructure, denial-of-service testing, and automated scanning of nullgrave.com beyond what's needed to confirm the existence of a vulnerability. Keep it surgical.
This policy covers how Nullgrave LLC collects and uses information gathered through nullgrave.com and the contact form.
Full Legal Documents
• Complete Privacy Policy (standalone page with detailed disclosures)
• General Disclaimer (limitations of liability for website content)
Questions about this policy? Email contact@nullgrave.com. We'll give you a straight answer.
Transparency isn’t a legal requirement.
It’s a professional standard.