Rules of Engagement

APISamurai API Vulnerability Scanning Service

 

Effective Date: July 9, 2025

This document outlines the terms, conditions, and procedures for the API vulnerability scanning service, APISamurai, provided by Ikusa Cybersecurity (hereinafter “Ikusa Cybersecurity,” “We,” “Us,” or “Our”). By utilizing Our APISamurai service, you (“Client” or “You”) explicitly agree to these Rules of Engagement. It is crucial that you read and understand this document thoroughly before providing any information or initiating a scan with APISamurai.

 

1. APISamurai Service Overview and Purpose

Our APISamurai service provides automated security vulnerability scanning and penetration testing of your Application Programming Interfaces (APIs). The primary purpose of this service is to identify potential security weaknesses and vulnerabilities within your API infrastructure, helping you to enhance your overall API security posture through the capabilities of APISamurai.

 

2. Scope of Engagement

2.1. In-Scope Assets:

        • Only the API(s) for which You provide a valid OpenAPI (formerly Swagger) Specification and explicit authorization will be scanned by APISamurai.

        • Only the specific endpoints and functionalities described within the provided OpenAPI Specification will be targeted by APISamurai.

2.2. Out-of-Scope Assets:

        • Any APIs, systems, or infrastructure not explicitly provided to Us via the OpenAPI Specification and for which specific authorization has not been granted are strictly out-of-scope for APISamurai’s activities.

        • We will not engage in any activities that target your other IT infrastructure, websites, or applications unless explicitly agreed upon in a separate, written agreement.

2.3. Testing Methodology of APISamurai:

        • APISamurai’s testing approach will primarily focus on identifying and validating authorization vulnerabilities (e.g., Broken Object Level Authorization (BOLA), Broken Function Level Authorization (BFLA), Broken Object Property Level Authorization (BOPLA)), and other common API vulnerabilities such as Server-Side Request Forgery (SSRF).

        • We will use the provided authentication details to simulate legitimate user access and attempt to identify and exploit vulnerabilities using only the provided test user accounts.

        • APISamurai may attempt to modify or delete data associated with the provided test users to validate vulnerabilities.

        • If necessary for comprehensive testing, APISamurai may attempt to create new test users within the API, using the provided credentials as a base. Any such newly created users will be clearly identified in the report.

 

3. Client Responsibilities and Authorization

3.1. Explicit Authorization:

        • You represent and warrant that You are the legal owner or have explicit, written authorization from the legal owner of the API(s) to be scanned by APISamurai.

        • You explicitly authorize Ikusa Cybersecurity to perform vulnerability scanning and simulated exploitation activities as described in Section 2 on your designated API(s) using the APISamurai platform.

        • You understand and accept that these activities, while designed to be non-disruptive, carry an inherent risk of minor service interruption or unexpected behavior, particularly in a live production environment. You agree to assume this risk. We strongly recommend testing on non-production environments where feasible.

3.2. Provision of Information:

        • You agree to provide a complete and accurate OpenAPI Specification for the API(s) to be scanned by APISamurai.

        • You agree to provide authentication details for at least two (2) distinct test user accounts, including but not limited to: Usernames and Passwords, API Tokens or Other relevant authentication credentials.

        • Crucial: We strongly recommend that You create temporary, low-privilege test accounts specifically for this engagement. These accounts should have the minimum necessary permissions to allow for the intended vulnerability testing by APISamurai. You should revoke or change these credentials immediately after the scan is complete and the report has been delivered.

        • You understand that failure to provide accurate or sufficient details may limit the scope and effectiveness of the APISamurai scan.

3.3. Contact Person:

        • You must designate a technical contact person who is available to communicate with our Ikusa Cybersecurity team during the APISamurai scanning period, especially in case of an unforeseen issue or critical finding.

 

4. Data Handling and Confidentiality (GDPR Compliant)

4.1. Collection of Personal Data:

        • To perform the APISamurai service, We will collect the OpenAPI Specification and the authentication details (e.g., usernames, passwords, tokens) provided by You.

        • You acknowledge that these authentication details may constitute “personal data” under the General Data Protection Regulation (GDPR) if they directly or indirectly identify natural persons (e.g., specific user accounts).

        • Our lawful basis for processing this data is the fulfillment of our contract with You (for the APISamurai service) and your explicit consent for the penetration testing activities.

4.2. Purpose Limitation:

        • The collected OpenAPI Specification and authentication details will be used solely for the purpose of conducting the authorized API vulnerability scan via APISamurai and generating the related security report.

        • We will not use this data for any other purpose, including marketing, re-identification, or sharing with third parties, without your explicit, separate consent or a legal obligation.

4.3. Data Security and Storage by Ikusa Cybersecurity:

        • We, Ikusa Cybersecurity, commit to implementing appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing your data, in accordance with Article 32 of the GDPR.

        • This includes, but is not limited to:

            • Encryption: All sensitive data (OpenAPI specs, authentication details) will be encrypted both in transit (using TLS/HTTPS) and at rest (using industry-standard encryption).

            • Access Control: Access to your data will be strictly limited to authorized Ikusa Cybersecurity personnel who require it to perform the APISamurai scanning service.

            • Secure Storage: Authentication details will be stored securely and separately from the OpenAPI Specification for the duration necessary to complete the scan and generate the initial report.

            • Data Minimization: We will only collect the data necessary for the stated purpose.

4.4. Data Retention:

        • OpenAPI Specifications and authentication details will be retained for a maximum of 90 days after the completion of the scan and delivery of the initial report, unless a longer retention period is explicitly agreed upon in writing (e.g., for ongoing monitoring in a paid plan).

        • Upon expiration of the retention period, all authentication details and OpenAPI Specifications will be securely and permanently deleted from Our systems.

4.5. Your Data Subject Rights (under GDPR):

        • As the Data Controller, You confirm that You have a lawful basis to share any personal data with Us.

        • You retain all rights regarding your data under GDPR. You have the right to request access to, rectification of, erasure of (“right to be forgotten”), restriction of processing concerning, or portability of the personal data you provide. Requests for such actions should be sent to info@ikusa.tech.

 

5. Reporting of Findings by APISamurai

5.1. Initial Report (Free Tier):

        • Upon completion of the APISamurai scan, We will provide You with a summary of the results. This summary will include a subset of the identified vulnerabilities, demonstrating the value and capabilities of our APISamurai service. This subset will be sufficient to give you an overview of critical findings without disclosing all details.

5.2. Full Report (Paid Plan):

        • To obtain a complete and detailed report from APISamurai, including all identified vulnerabilities, their severity, detailed proof-of-concept steps, and remediation recommendations, You will need to subscribe to our paid plan.

        • The full report will be delivered via a secure, encrypted channel or a dedicated secure portal.

 

6. Limitations of APISamurai Service

6.1. No Guarantee of Absolute Security:

        • While APISamurai aims to identify common and critical API vulnerabilities, it does not guarantee the absence of all vulnerabilities or complete immunity from future attacks. Security is an ongoing process.

        • Our automated approach means that some complex, business logic flaws or highly nuanced vulnerabilities might not be detected. A full, manual penetration test by human experts may be required for deeper analysis.

6.2. No Liability for Pre-Existing Conditions or Client Actions:

        • We are not responsible for any pre-existing vulnerabilities, misconfigurations, or security weaknesses in your API or infrastructure.

        • We are not liable for any damages or disruptions caused by your failure to adhere to these Rules of Engagement, including but not limited to providing incorrect or unauthorized API access, or testing on critical production systems without adequate backup or preparation.

 

7. Consent and Agreement

By clicking “I Agree,” or by submitting your OpenAPI Specification and authentication details, you acknowledge that you have read, understood, and explicitly consent to these Rules of Engagement for the APISamurai service, including:

    • Granting Ikusa Cybersecurity permission to perform vulnerability scanning and exploitation activities on your designated API(s) via APISamurai as described herein.

    • Understanding and accepting the associated risks.

    • Agreeing to the terms of data collection, processing, security, and retention by Ikusa Cybersecurity.

Scroll to Top