Authorization Policy

Gated will only scan a target when the person initiating the scan has proven ownership of it and has agreed, in writing, to a specific, time-limited scope.

Authorization is a signed, time-limited, scope-bounded permission to scan one or more named targets. It covers: (a) which hostnames may be reached; (b) which tool namespaces, resource URIs, or endpoints may be touched; (c) which check families may run; (d) the maximum scan rate; and (e) how long the authorization lasts.

Authorization is always time-limited. The maximum lifetime for a single authorization is 72 hours, extensible only by a fresh ownership verification.

We support three verification methods, listed in increasing strength:

• DNS TXT. A TXT record at _gated.[domain] containing a short-lived challenge.
• HTTP token. A file served at https://[target]/.well-known/gated-challenge, bound to the authorization scope by signature.
• Signed manifest.A detached signature over the scan request, verified against a key published in your MCP server’s identity advertisement.

No scan runs without at least one of these verifications succeeding at scan time — not at account creation, not at “first scan,” every scan.

We will not scan any target you have not authorized, even if the target is a subdomain of one you have authorized. Authorization does not propagate. Adjacent hostnames are a separate scope.

Certain check families are never enabled without explicit opt-in: destructive writes, fuzzing of write tools, and any check that can trigger outbound requests from the target. These require an opt-in flag per-scope and a separate acknowledgment during scan initiation.

Every scan runs under a rate limit expressed in requests per second, with defaults tuned to avoid impact on production systems. The default for read checks is 25 rps; write and fuzzing checks are capped at 5 rps and, as noted above, are opt-in.

If a scan observes signs of target degradation — elevated error rates, 5xx responses, or HTTP 429 — the scanner slows automatically and may abort. Abort conditions are conservative: we would rather stop a scan early than damage a target.

Gated operators are required, as a term of employment, to halt any scan they observe running without valid authorization, notify the target of record, and file an internal incident report. This obligation applies regardless of who requested the scan or what revenue is at stake.

Every scan produces an authorization record — the signed scope, the verification method, the operator or service principal that initiated it, and a hash of the check plan. We retain these records for seven years. On request, we will provide the authorization record for any scan you were the target of.

If you believe a scan from Gated’s infrastructure has targeted a system you own without authorization, email abuse@gated.sh. We monitor this mailbox 24/7. We will:

• Acknowledge within one hour.
• Halt all scans involving the affected target within 15 minutes of acknowledgment.
• Provide the authorization record, or the absence of one, within one business day.
• If the scan was unauthorized, deliver a full root-cause analysis within 10 business days and make you whole for any verifiable impact.

This policy is versioned. Every substantive change is published with a summary in our Writing log, and the prior version is archived and referenceable by URL.