Acceptable Use Policy
This Acceptable Use Policy (the “AUP”) governs what you may and may not do with Nemesis Blue and Nemesis Red. It applies to every user, regardless of tier or license. Violating it is grounds for immediate suspension or termination of your access and, where applicable, referral to law enforcement.
You are responsible for your use of our tools.
Nemesis Labs builds tools. We do not authorize, endorse, or participate in any unlawful activity by our users. If you use our tools to attack a system you do not own or have written permission to test, the responsibility is yours, not ours.
1. The core rule
You may only use Nemesis tools against systems you own, or systems you have written, signed authorization to test. That authorization must be granted by a party with legal authority to consent on behalf of the target organization (e.g. an officer, a CISO, or a bug-bounty program with the scope clearly stated). Verbal permission is not authorization.
This rule is non-negotiable. It binds you regardless of jurisdiction, regardless of the target's perceived security posture, and regardless of your motive (curiosity, research, ethical concern, public interest). If you do not have written consent for a target, do not run our tools against it.
2. Specifically prohibited uses
You may not use any Nemesis product to:
- Attack, scan, exploit, or test any system, network, or application without prior written authorization from the owner or an authorized signatory.
- Conduct, facilitate, or participate in any unauthorized intrusion, ransomware deployment, denial-of-service attack, espionage, or extortion activity.
- Develop, train, or operate malware, ransomware, spyware, or similar offensive software for unlawful purposes.
- Stalk, harass, intimidate, dox, or surveil any individual without their informed consent.
- Process or store child sexual abuse material (CSAM) or other content that is illegal under U.S. federal law or the laws of your jurisdiction.
- Circumvent export controls, including the U.S. Export Administration Regulations (EAR), the International Traffic in Arms Regulations (ITAR), or OFAC sanctions programs. Our tools are not authorized for export to, re-export to, or use by parties in U.S.-sanctioned jurisdictions (Cuba, Iran, North Korea, Syria, the Crimea, Donetsk and Luhansk regions, and others as designated by OFAC).
- Resell, redistribute, sublicense, or rebrand any Nemesis product without a written authorization from Autogon Inc.
- Reverse-engineer, disassemble, or decompile our agents or services for the purpose of producing a competing product. Security research that does not violate this clause is welcomed and governed by our security disclosure policy.
- Use our tools to mass-scan the public internet without respecting standard scanning etiquette (rate limiting, robots.txt where applicable, abuse-contact monitoring, clear identification on request).
3. Consent attestation (Nemesis Red)
Red is license-gated. As part of the license application you attest under penalty of revocation that you have written consent for every target you intend to run Red against. The hash-chained audit log retains your attestation for the lifetime of the engagement. If you falsely attest, your license is subject to immediate revocation and we may share your attestation and audit trail with law enforcement or affected parties in response to valid legal process.
Per-engagement consent documents must be retained by you for at least three (3) years. We may request proof of consent during a compliance review.
4. Reporting abuse
If you believe Nemesis tools are being used against you or an organization you represent without authorization, email [email protected] with subject line ABUSE: [your organization]. Include any indicators of compromise (IPs, user-agent strings, timestamps) and evidence of the unauthorized access. We respond within 48 hours and will suspend the offending license while we investigate.
For exigent circumstances (active intrusion, ransomware event), include “URGENT” in the subject. We will accept and process credible exigent reports outside business hours.
5. Cooperation with law enforcement
Autogon Inc. cooperates with law enforcement under valid legal process. We will not provide user data without a subpoena, warrant, court order, or equivalent authorization recognized in our jurisdiction. We will challenge requests that appear overbroad or that we believe are intended to chill lawful security research.
For Nemesis Red license applications and the associated consent attestations and audit logs: we will produce these records on receipt of a valid legal process referencing the specific license or engagement.
6. Enforcement
Violation of this AUP may result in:
- Immediate suspension of your account or license.
- Permanent termination of access without refund.
- Forfeiture of any credits, prepaid amounts, or outstanding deliverables.
- Civil action by Autogon Inc., including injunctive relief and damages.
- Referral to law enforcement, regulators, or affected parties.
We reserve the right to determine in our sole discretion whether a use violates this AUP. Where the violation is clear and the threat ongoing, we will suspend first and review with you afterward.
7. Acknowledgment
By using any Nemesis product, you acknowledge that you have read and understood this Acceptable Use Policy and agree to be bound by it. If you do not agree, do not install or use our products.
For Nemesis Red specifically, license issuance is conditional on your explicit acknowledgment of this AUP and of the per-engagement consent attestation. Falsely attesting to consent is grounds for immediate revocation and may constitute fraud under applicable law.
8. Contact
AUP questions, abuse reports, and clarification requests: [email protected].