Terms of Service
Effective: July 13, 2026
These terms govern each YNM3000 web application penetration-testing order. By paying through Stripe, you agree to these terms and represent that the information you provide is accurate.
1. Order and manual acceptance
The USD $300 charge is a one-time payment for the stated package. Payment submits an order; it does not automatically authorize testing or start the delivery period. We review complete order information within one business day and accept the engagement by email. We may decline and fully refund an order that cannot be safely authorized, scoped, scheduled, or delivered within current capacity.
2. Authorized target
You must own the target or hold current written permission from its owner to authorize the exact testing described in the confirmed Rules of Engagement. We may require domain-email, DNS or HTML verification, or an authorization letter. You may not order testing of a competitor, unrelated third party, shared hosting neighbor, vendor asset, or any system outside your authority.
3. Included scope
The package covers one primary web application hostname, its same-origin pages and same-origin APIs, unauthenticated testing, and optionally one customer-created test account. It includes one English or Chinese PDF report and one verification pass within 14 calendar days for fixes to Critical and High findings in the original report.
4. Excluded activity
Additional hostnames, independently hosted APIs, mobile applications, source-code review, cloud accounts, and internal networks are excluded unless separately agreed. Denial of service, social engineering, password spraying, credential stuffing, persistence, lateral movement, destructive payloads, bulk data extraction, and testing outside the confirmed window are prohibited.
5. Safety and cooperation
You must identify production sensitivity, excluded paths, an emergency contact, and a stop-testing contact. We may pause or stop immediately if scope, authorization, ownership, service health, or unintended data access becomes uncertain. You are responsible for current backups, monitoring, and restoring your systems. Material target changes, outages, missing access, or delayed customer responses pause the delivery clock for the corresponding delay.
6. Delivery commitment
The three-business-day period begins only when we email acceptance after confirming payment, authorization, scope, test window, emergency contact, and any optional account details. Delivery is the protected report sent or made available to the purchaser's confirmed email. Weekends and United States federal holidays are not business days.
7. Findings and retest
The report documents the confirmed scope, methods, findings, evidence, risk reasoning, remediation, and limitations. The included retest covers one consolidated submission of fixes for original Critical and High findings received within 14 calendar days. New targets, features, attack paths, or repeated retests require a new order.
8. Refunds and cancellation
We provide a full refund when we decline an order, cannot validate authorization, exceed available capacity, or miss the delivery commitment for reasons within our control. You may cancel for a full refund before testing starts. If required information remains incomplete for seven calendar days, we may close and refund the order. After testing starts, payments are non-refundable except for a missed delivery commitment or where required by law.
9. No guarantee or certification
Security testing is time-bound and cannot guarantee discovery of every vulnerability or future security. A report with no Critical or High finding is not a warranty that the target is secure. YNM3000 is not an OWASP certification, compliance audit, attestation, legal opinion, or substitute for continuous security engineering.
10. Confidentiality and credentials
We treat non-public scope, findings, and reports as confidential and use them only to deliver the engagement, protect the service, and meet legal obligations. Do not put passwords, API keys, tokens, private data, or secrets in Stripe fields, URLs, or ordinary website forms. Optional credentials are arranged after acceptance and must be temporary and least-privileged.
11. Liability
To the maximum extent permitted by law, the service is provided as a professional, time-limited assessment without warranties of merchantability, fitness, or uninterrupted operation. OpAgent Inc.'s aggregate liability arising from an engagement is limited to the amount you paid for that engagement. Neither party is liable for indirect, incidental, special, or consequential damages. These limits do not apply where prohibited by law.
12. Governing law and contact
These terms are governed by the laws of Colorado, United States, without regard to conflict-of-law rules. Questions, authorization records, stop-testing notices, cancellation, and refund requests must be sent to support@ynm3000.com.