Terms of Service

Plain-language terms for a developer tool.

Effective date: February 28, 2026  ·  Greyfield Labs LLC DBA Misconfig Index  ·  hello@misconfig.dev

The short version: Use Misconfig Index for legitimate security scanning. Don't abuse the API or scan repos you don't have permission to scan. We provide the service as-is and can't guarantee uninterrupted availability.

1. Acceptance

By using Misconfig Index (the website at misconfig.dev, the API at api.misconfig.dev, or the misconfig-index Python package), you agree to these terms. If you don't agree, don't use the service.

2. What the service does

Misconfig Index scans Infrastructure-as-Code (IaC) files for security misconfigurations and returns a numeric score. It is a developer tool, not a substitute for a professional security audit. Scores represent the presence of specific rule violations in your code — a high score does not guarantee your infrastructure is secure.

3. Permitted use

You may use Misconfig Index to:

  • Scan repositories you own or have permission to scan.
  • Integrate the CLI or API into your own CI/CD pipelines.
  • Self-host the open-source stack for internal use.
  • Embed the public badge in your README for repos you maintain.

4. Prohibited use

You may not:

  • Scan repositories you do not own or have explicit permission to scan.
  • Attempt to circumvent rate limits, authentication, or access controls.
  • Use the service to generate misleading security certifications or claims.
  • Resell or white-label the hosted service without a separate agreement.
  • Submit or ingest malicious, unlawful, or deceptive content via the API.

5. API keys and accounts

You are responsible for keeping your API key confidential. Do not commit it to public repositories. If you believe your key has been compromised, contact us at hello@misconfig.dev and we will revoke it.

We reserve the right to revoke API keys that are used in violation of these terms.

6. Rate limits

Free-tier usage is subject to rate limits (currently 5 Quick Scans per minute, 60 API calls per minute per IP). Exceeding these limits will result in 429 Too Many Requests responses. Systematic circumvention of rate limits may result in IP or API key suspension.

7. Open source

The Misconfig Index source code is released under the MIT License. You are free to self-host, fork, and modify the software. The MIT License governs the software; these Terms govern your use of the hosted service.

8. Disclaimer of warranties

The service is provided "as is" without warranty of any kind. We do not guarantee that the service will be uninterrupted, error-free, or that scan results will be complete or accurate. Security scanning is inherently imperfect — false positives and false negatives occur.

9. Limitation of liability

To the maximum extent permitted by law, Greyfield Labs LLC and its authors are not liable for any direct, indirect, incidental, or consequential damages arising from your use of or inability to use the service, including but not limited to security incidents that occur in infrastructure that received a high Misconfig Score.

10. Governing law

These terms are governed by the laws of the State of Texas.

11. Dispute resolution

Any dispute arising out of or relating to these terms or the service will be resolved by binding arbitration under the rules of the American Arbitration Association (AAA), conducted in Texas. Each party waives the right to bring any claim as a class action or class arbitration. Nothing in this clause prevents either party from seeking emergency injunctive relief in a court of competent jurisdiction to protect intellectual property rights or confidential information pending arbitration.

12. Changes to these terms

We may update these terms. We will post a notice on the blog and update the effective date above. Continued use after a change constitutes acceptance of the updated terms.

13. Contact

Questions about these terms? Email hello@misconfig.dev or write to Greyfield Labs LLC DBA Misconfig Index.