Terms of Service

Last updated: 2026-04-29 · Effective: 2026-04-29

These Terms govern your access to and use of RealExploit (the "Service"), operated under the trade name "Keystone Labs" (referred to as "Keystone Labs", "we", "us", or "our" throughout these Terms). Keystone Labs is a sole proprietorship; specific operator details are available upon written request to [email protected] for legitimate legal purposes.

1. Acceptance of Terms

By creating an account, accessing the API, or otherwise using the Service, you represent that you are at least 18 years of age and agree to be bound by these Terms. If you are using the Service on behalf of an organization, you represent that you have authority to bind that organization, and "you" refers to that organization.

2. Description of Service

RealExploit aggregates publicly available threat-intelligence signals — including but not limited to the CISA Known Exploited Vulnerabilities (KEV) catalog, the NIST National Vulnerability Database (NVD), FIRST.org Exploit Prediction Scoring System (EPSS) scores, ExploitDB, the Metasploit Framework, ProjectDiscovery's Nuclei templates, and curated GitHub proof-of-concept indexes — and produces a single deterministic verdict per CVE for use in vulnerability prioritization workflows.

The Service is an informational data-aggregation product. It is not a security advisor, a penetration-testing tool, a vulnerability scanner, or a substitute for professional security consulting. Verdicts do not constitute investment, legal, or compliance advice.

3. Account Registration

You must provide accurate, current, and complete information during registration and keep it up to date. You are responsible for maintaining the confidentiality of your password, API keys, and session tokens, and for all activity that occurs under your account. Account credentials may not be shared with any third party. Notify us at [email protected] immediately upon any suspected unauthorized access.

4. Acceptable Use Policy

Your use of the Service must comply with this Acceptable Use Policy and with the Paddle Acceptable Use Policy, which applies to all transactions processed through Paddle as Merchant of Record.

Permitted uses:

• Defensive vulnerability management and patch prioritization for systems you own or operate.
• Authorized security research and red-team assessments where you have explicit written authorization to test the target systems.
• Internal scanning, asset inventory, and risk reporting within your organization.
• Integration with SIEMs, ticketing systems, and SOAR platforms for legitimate security operations.

Prohibited uses. You must not, and must not permit any third party to:

• Resell, sublicense, or redistribute the Service's output, in whole or in part, without our prior written consent.
• Scrape, mirror, or otherwise systematically extract data from the Service beyond reasonable use of the documented API endpoints and within your tier's published quotas.
• Use the Service to weaponize CVE data against systems you do not own or do not have explicit written authorization to test.
• Reverse engineer, decompile, or attempt to derive the source code or scoring algorithm of the Service, except to the extent expressly permitted by applicable law notwithstanding this restriction.
• Use Service outputs to train, fine-tune, or otherwise build machine-learning models without an explicit written license from us.
• Engage in any activity that violates applicable law in any jurisdiction relevant to you, the target systems, or our infrastructure.
• Share, publish, or transfer API keys to any third party. API keys are personal to the issuing account.
• Interfere with or disrupt the integrity or performance of the Service, including by transmitting malware, conducting denial-of-service attacks, or attempting to bypass rate limits.

We may suspend or terminate accounts engaged in any prohibited activity, with or without prior notice, and may report illegal activity to competent authorities.

5. Subscription Tiers and Billing

The Service is offered on the following plans, with feature details on the Pricing page:

• Community — free, web-console only, limited weekly quota.
• Pro — USD $99/month, single seat, full API access.
• Team — USD $399/month, up to 5 seats with shared monthly quota.
• Enterprise — USD $599/month, up to 15 seats with shared monthly quota.

Payments are processed by Paddle.com Market Limited, acting as Merchant of Record. By purchasing a paid plan, you also accept Paddle's Buyer Terms. Tax invoices and receipts are issued through Paddle on our behalf, and Paddle is responsible for collection and remittance of applicable taxes (VAT, GST, sales tax) in your jurisdiction.

Paid plans auto-renew at the end of each monthly billing cycle unless cancelled. You may cancel at any time from your account settings; cancellation takes effect at the end of the current billing period, and the Service remains available until that date.

6. Service Availability

RealExploit infrastructure leverages globally distributed edge networks (Cloudflare) and enterprise-grade hosting (Frankfurt, Germany). While we design for high availability, we do not guarantee specific uptime percentages. The Service is provided AS IS without a Service Level Agreement except as expressly agreed in writing for Enterprise customers. Scheduled maintenance, third-party data-source outages, and network conditions outside our control may affect availability from time to time.

7. Intellectual Property

Keystone Labs and its licensors retain all right, title, and interest in and to the Service, including the API, the scoring algorithm, the web interface, the documentation, trademarks, and logos. These Terms do not grant you any rights in our intellectual property except as explicitly stated.

Aggregated source data is sourced from public-domain or openly licensed catalogs, including CISA KEV (public domain), NIST NVD (United States Government work), FIRST.org EPSS (CC BY 4.0), ExploitDB (open source), the Metasploit Framework (BSD-3-clause, © Rapid7), and Nuclei templates (MIT, © ProjectDiscovery). Attribution and license notices are preserved in API responses and on the landing page.

You retain all rights to the queries, CVE lists, and inputs you submit. We grant you a non-exclusive, non-transferable, revocable license to use the Service and its outputs for the permitted uses set out in Section 4 for the duration of your subscription.

8. Disclaimers

THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, ACCURACY, OR UNINTERRUPTED OPERATION.

Verdicts are informational signals derived from public data and do not constitute professional security advice. You are solely responsible for your security decisions, patch management, configuration choices, and operational risk acceptance. Keystone Labs makes no representation that the Service will identify all vulnerabilities relevant to your environment.

9. Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, KEYSTONE LABS' AGGREGATE LIABILITY FOR ANY AND ALL CLAIMS ARISING OUT OF OR RELATING TO THE SERVICE OR THESE TERMS SHALL NOT EXCEED THE GREATER OF (A) THE AMOUNTS PAID BY YOU FOR THE SERVICE IN THE 12 MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM, OR (B) USD $100.

IN NO EVENT SHALL KEYSTONE LABS BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL, INDIRECT, SPECIAL, PUNITIVE, OR EXEMPLARY DAMAGES, INCLUDING LOST PROFITS, LOST DATA, OR BUSINESS INTERRUPTION, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Some jurisdictions do not allow the exclusion or limitation of certain warranties or damages; in those jurisdictions, the foregoing limitations apply to the maximum extent permitted by applicable law.

10. Indemnification

You agree to indemnify, defend, and hold harmless Keystone Labs and its affiliates, contractors, and agents from and against any third-party claims, damages, liabilities, costs, and expenses (including reasonable attorneys' fees) arising out of or related to your use of the Service in violation of these Terms or applicable law, your violation of any third-party right, or any content or data you submit through the Service.

11. Termination

You may terminate your account at any time from your dashboard settings or by emailing [email protected]. Upon termination, your access to the Service is revoked and your personal data is anonymized in accordance with our Privacy Policy.

We may terminate or suspend your account immediately, without prior notice, for violation of the Acceptable Use Policy (Section 4), suspected fraud, abuse, non-payment, or activity that poses a security or legal risk to us or other users. We may also terminate any account, for any other reason, with at least 30 days' written notice. Sections that by their nature should survive termination (Intellectual Property, Disclaimers, Limitation of Liability, Indemnification, Governing Law) survive.

12. Force Majeure

Neither party shall be liable for failure to perform its obligations due to causes beyond its reasonable control, including but not limited to upstream service-provider outages, internet disruptions, natural disasters, government actions, cyberattacks, civil unrest, or pandemics. Affected obligations are suspended for the duration of the force-majeure event.

13. Modifications to Terms

We may update these Terms from time to time. For material changes, we will provide at least 30 days' advance notice via email to the address on your account and by posting the updated version on this page with a revised "Last updated" date. Continued use of the Service after the effective date of the updated Terms constitutes acceptance of the changes. If you do not accept the updated Terms, your sole remedy is to terminate your account before the effective date.

14. Governing Law and Disputes

These Terms are governed by the laws of the jurisdiction in which the Operator is registered, without regard to conflict of laws principles. Disputes arising out of or relating to these Terms or the Service shall first be addressed through good-faith negotiation between the parties for a period of at least 60 days. If unresolved, disputes shall be subject to the exclusive jurisdiction of the competent courts of the Operator's registered residence.

Specific jurisdictional details (the Operator's country of registration and the relevant judicial district) are available upon written request to [email protected] for legitimate legal purposes — including service of process, regulatory inquiries, or formal pre-litigation correspondence.

15. General Provisions

• Entire agreement. These Terms, together with the Privacy Policy, the Refund Policy, and any plan-specific addenda, constitute the entire agreement between you and Keystone Labs.
• Severability. If any provision is held unenforceable, the remaining provisions remain in full force and effect.
• No waiver. Failure to enforce any right is not a waiver of that right.
• Assignment. You may not assign these Terms without our prior written consent. We may assign these Terms in connection with a merger, acquisition, or sale of assets.
• Notices. Notices to you may be sent to the email on your account; notices to us must be sent to [email protected].

16. Contact

For questions about these Terms, contact [email protected]. For legal or regulatory correspondence, use [email protected].

Disclaimer. These Terms are provided as a comprehensive baseline for the Service. Specific compliance with your jurisdiction's consumer-protection law, industry regulations, or other legal requirements may differ. They are not legal advice; consult qualified legal counsel for your specific situation.