Terms of Service
1. Acceptance
By using VIR (web UI or API) you accept these terms and the Privacy Policy. The service is operated by lbreeze limited, a UK-registered company.
2. AS-IS, no warranty
All vulnerability data, mitigations, predictions, and risk scores are provided AS-IS for prioritisation use. lbreeze limited makes no warranty of correctness, completeness, fitness for purpose, or freshness. You are responsible for verifying every advisory before applying it in production.
3. Tier labelling
Every mitigation in VIR carries an explicit source_tier label: vendor (direct from the affected vendor's PSIRT), lbreeze (curated by our team), or community-verified (authored by a community contributor, AI-scored and human-co-signed). Consumers are responsible for their own deployment policy per tier — e.g. auto-apply vendor-tier, require human review for community-verified.
4. API usage
Public endpoints (/api/cve/<id>, /healthz, /sources, /sitemap.xml) are unmetered for reasonable use. Authenticated endpoints are subject to your bearer-token scope and rate limit. Scraping the explorer UI to evade API rate limits is not permitted.
5. Mesh + redistribution
Downstream mesh nodes and redistributors must preserve source_tier, signatures, and references in the data they emit. Stripping signatures or relabelling tiers downstream voids any liability indemnification.
6. Community contributions
Community-authored mitigations are licensed CC-BY-SA 4.0 by their authors at submission time. lbreeze limited has a perpetual licence to redistribute them as part of VIR. Contributors warrant the content is theirs to share.
7. Retraction + objection
Community-verified mitigations open with a 7-day silent objection window before becoming permanent. Vendors, original authors, and lbreeze staff may trigger retraction at any time — webhook fans out to subscribers (mesh nodes, mitigation API consumers) for invalidation.
8. Acceptable use
No weaponised exploit publication via the disclosure flow without coordinated disclosure with the affected vendor. No data scraping for bulk resale outside agreed API tiers. No use of the platform to coordinate attacks.
9. Indemnification
You indemnify lbreeze limited and its affiliates against claims arising from your use of the data, including downstream redistribution and any operational outcomes from applying mitigations sourced via VIR.
10. Governing law
England & Wales. EU + US residents may have additional statutory rights; counsel-supplied addenda apply where relevant.
11. Changes
Material changes announced 14 days in advance via /healthz response banner + API token holder email.
Operator: lbreeze limited · Contact: legal@secfolk.com