Vulnora is a defensive security auditing platform designed exclusively for authorized vulnerability assessment. Our platform scans websites, web applications, APIs, ERP systems, CRM platforms, and software projects to identify security weaknesses, misconfigurations, and vulnerabilities.

We do not hack anything. Vulnora performs security checks similar to what a professional penetration tester would do during an authorized assessment. Every scan requires explicit ownership confirmation before execution.

Our platform provides:

• Security header analysis (CSP, HSTS, X-Frame-Options, etc.)
• SSL/TLS certificate validation and cipher strength testing
• Sensitive file exposure detection (.env, .git, backups, configs)
• SQL injection, XSS, and CSRF vulnerability detection
• API security auditing (authentication, rate limiting, IDOR)
• Performance and accessibility analysis
• SEO audit and crawl analysis
• Payment gateway security verification
• Session management and cookie security testing
• CORS policy and clickjacking protection verification
• Admin panel and sensitive endpoint discovery
• Subdomain takeover detection
• And 60+ additional security checks across all categories

The purpose is simple: find vulnerabilities so you can fix them before attackers do.

Vulnora does NOT use artificial intelligence, machine learning, or any AI-based services to analyze your websites or data.

Every single security check is performed by our custom-built scanner scripts. These are deterministic, proprietary security modules that follow well-established vulnerability testing methodologies (OWASP Top 10, SANS CWE Top 25, NIST guidelines).

This means:

• Your data is NEVER sent to OpenAI, Google, Microsoft, or any AI provider
• No large language models process your scan results
• No machine learning models are trained on your data
• All vulnerability detection is rule-based and deterministic
• You get the same results every time for the same input
• No "black box" AI decisions — every finding has a clear technical explanation

Our scanner packages are built with transparency in mind. All vulnerability detection is rule-based and deterministic.

We collect the absolute minimum data required to perform security scans:

Your scan data is protected with industry-standard security measures:

• Encryption in transit: All communication uses HTTPS/TLS 1.3
• Encryption at rest: Scan data stored in Supabase with AES-256 encryption
• Access control: Only you can access your scan results (Row Level Security)
• No third-party sharing: Your data is never sold, shared, or transferred to any third party
• No analytics tracking: We don't use Google Analytics, Facebook Pixel, or any tracking scripts
• No advertising: We don't serve ads or use your data for advertising purposes
• Serverless architecture: Scan data exists only during execution and in your persistent storage
• Proprietary technology: Built with security-first architecture

We believe in minimal data retention:

• Scan results: Stored until you delete them or delete your account
• In-memory data: Cleared when the serverless function instance terminates (typically within minutes)
• No backups of your data: When you delete a scan, it's permanently gone
• No data mining: We never analyze your scan results for our own purposes
• Right to deletion: You can delete all your data at any time from the Settings page

We do NOT retain any data from the websites you scan. The scanner makes HTTP requests to your target, analyzes the responses in real-time, generates findings, and discards the raw response data immediately. Only the structured vulnerability report is saved.

Vulnora is designed exclusively for authorized security testing. By using our platform, you confirm that:

• You own the website/application being scanned, OR
• You have explicit written authorization from the owner to perform security testing
• You understand that scanning without authorization may violate laws in your jurisdiction
• You accept full responsibility for ensuring you have proper authorization

Every scan requires you to check the "I confirm I have authorization to scan this URL" checkbox. This is not just a formality — it's a legal requirement. Unauthorized scanning of websites you don't own may violate the Computer Fraud and Abuse Act (CFAA), the Computer Misuse Act, or equivalent laws in your country.

For full transparency, here's exactly what our scanners do when you initiate a scan:

Passive Checks (Default — Safe)

These checks only analyze publicly available information and HTTP responses:

• Send standard HTTP GET/HEAD requests (same as a web browser)
• Analyze response headers for security misconfigurations
• Check SSL/TLS certificate validity and configuration
• Look for common sensitive file paths (e.g., /.env, /.git/config)
• Analyze HTML for SEO, accessibility, and security issues
• Check DNS records for subdomain takeover risks
• Measure performance metrics (response time, payload size)

Active Probes (Opt-in — Sends Test Payloads)

These checks send specially crafted requests to test for vulnerabilities:

• SQL injection test payloads in URL parameters (harmless detection strings)
• XSS test vectors that check if input is reflected without sanitization
• CORS origin manipulation to test access control policies
• Open redirect parameter testing
• API endpoint discovery and authentication testing
• JWT token manipulation (none algorithm, expired tokens)

Active probes are disabled by default. They send test payloads but never attempt to actually exploit vulnerabilities or extract real data.

Destructive Mode (Opt-in — Aggressive Testing)

These are aggressive penetration testing techniques that may cause side effects:

• Time-based blind SQL injection (may cause brief slowdowns)
• UNION-based SQL injection attempts
• OS command injection testing
• Race condition testing (concurrent requests)
• DDoS resilience testing (burst requests)

Destructive mode is disabled by default and requires explicit opt-in. Only use this on systems you fully control in a testing/staging environment.

To be absolutely clear about what Vulnora does NOT do:

Vulnora is built with transparency in mind. Every scanner module and security check follows well-established vulnerability testing methodologies:

• Methodology: OWASP Top 10, SANS CWE Top 25, NIST guidelines
• Scanner modules: Custom-built proprietary security scanners
• API: RESTful API for programmatic access
• License: Proprietary — all rights reserved

If you have concerns about what our scanners do, contact our support team for detailed documentation.

Vulnora uses minimal browser storage:

• Session storage: Temporarily stores scan data for the current browser session (cleared when you close the tab)
• Authentication cookie: A secure, HttpOnly session cookie for login (if you create an account)
• No tracking cookies: We don't use any analytics or advertising cookies
• No fingerprinting: We don't collect browser fingerprints or device information

You have the following rights regarding your data:

• Right to access: View all your scan data at any time from the dashboard
• Right to deletion: Delete any or all scan records permanently
• Right to export: Download your scan results as PDF reports
• Right to restrict: Choose which scan modules to enable/disable
• Right to transparency: Full source code available for inspection
• Right to withdraw: Stop using the platform at any time — your data will be deleted

If we make changes to this privacy policy, we will update the "Last updated" date at the top of this page. For significant changes, we will provide a prominent notice on the platform. All changes to this policy will be communicated to users.

If you have questions about this privacy policy or how your data is handled, you can:

• Contact us via email at support@vulnora.com
• Use the in-app support feature