← back to hackersagent.com

Responsible Usage Guide

Effective 2026-05-18.

Hackers Agent is built for the security-research community. The rules in our Acceptable Use Policy define what is forbidden. This guide describes the higher standard we expect from professional users — the principles that separate ethical security research from abuse.

1. The four principles

1.1 Authorization first, always

Never test systems without explicit, written authorization from the owner. “Public-facing” is not authorization. “I'm a security researcher” is not authorization. The only legitimate authorizations are:

  • you own the system (production, staging, lab — you own it);
  • a signed engagement letter / SOW / pentest agreement from an owner who has authority to grant you scope;
  • a published bug-bounty or vulnerability-disclosure program whose written scope explicitly covers the asset and the technique you are using;
  • a CFAA-equivalent good-faith research exception in your jurisdiction — documented in advance, ideally with counsel.

If you cannot point to one of those, do not run the test. Keep authorization documents on hand; we may ask to see them.

1.2 Responsible disclosure

When you find a vulnerability in someone else's system:

  • notify the affected organization through their published security contact (or via a coordinator like CERT/CC, MITRE, or a national CSIRT if no contact is published);
  • give the organization a reasonable remediation window — 90 days is the industry norm for non-critical issues; faster for actively exploited critical issues; longer with mutual agreement;
  • do not publish, demo, or weaponize the vulnerability until the window expires or a fix ships;
  • do not extract or retain more user data than the minimum needed to demonstrate the issue, and securely destroy any extracted data once disclosed.

1.3 Minimize impact

Even with authorization, restraint matters:

  • favor read-only / non-destructive techniques over write / DoS;
  • rate-limit yourself; do not run mass scanners against shared infrastructure or third-party APIs the target depends on;
  • notify the target's on-call before noisy testing windows;
  • when the Dark Web TI Agent surfaces a real victim's data dump, do NOT download or redistribute — surface the existence to the victim organization via their security contact and let them coordinate with law enforcement.

1.4 Professional standards

  • treat every finding as confidential to the engagement until publicly disclosed;
  • attribute sources and prior work; cite the CVE / MITRE / CAPEC / CWE entry that maps to your finding;
  • maintain a professional, factual tone in client deliverables — the AI may produce sensationalist phrasing; edit it out;
  • continuously train (industry certifications, conference talks, peer review, CTFs) — AI augments, it does not replace, your judgment.

2. Workflow guidance by context

Penetration testing

  • Keep your engagement letter / SOW within reach — document the scope, the rules of engagement, and the in-scope target list before invoking any agent.
  • Use Hackers Agent for synthesis (Finding Report, threat-actor attribution) and for surfacing IOCs (Dark Web TI). Manual exploitation belongs to you.
  • Export your final report (Profile → Export) for inclusion in your deliverable — never paste raw AI output without review.

Academic / independent research

  • Use the platform with the same authorization rigor as a commercial engagement. Academic affiliation does not grant access to non-consenting systems.
  • Coordinate with your IRB / ethics board if your research involves human-subject data, even indirectly.

CTF and lab work

  • CTF and intentionally-vulnerable labs (HackTheBox, TryHackMe, PortSwigger Web Security Academy, your own Vulnhub VM) are fair game.
  • Hackers Agent is not designed to give CTF-flag answers directly; it is designed to teach methodology. Use it that way.

Threat-intel / defensive monitoring

  • Use the Dark Web TI Agent to monitor for mentions of YOUR organization, YOUR brand, or YOUR sector. Set up recurring searches on the leak-site indexes the agent crawls.
  • When surfaced data implicates a third-party victim, route the intel to that victim through proper channels — not via public posting.

3. Legal framework awareness

You should be conversant with the laws of every jurisdiction in which you operate. Common touchpoints:

  • United States: Computer Fraud and Abuse Act (CFAA, 18 USC § 1030), Digital Millennium Copyright Act (DMCA), Stored Communications Act, state computer-crime statutes.
  • United Kingdom: Computer Misuse Act 1990, Investigatory Powers Act.
  • European Union: NIS2 Directive, GDPR (data minimization, breach reporting), Cyber Resilience Act.
  • Anywhere: data-protection law applies the moment you touch user data, even in a test environment.

4. Community standards

We expect users to contribute back to the security community where appropriate: publish your fixed issues (with the affected org's consent), share IOCs with industry ISACs, mentor newer researchers, and report platform abuse you observe at abuse@hackersagent.com.

Acting within these principles protects you, protects the people whose systems and data you encounter, and protects the long-term viability of independent security research as a discipline.