Terms of Service

1. The Service

RiskScore (“we,” “us,” or “our”) provides a REST API and dashboard that aggregates CVE vulnerability data from the NIST National Vulnerability Database (NVD), the CISA Known Exploited Vulnerabilities (KEV) catalog, and the FIRST Exploit Prediction Scoring System (EPSS) into a single composite risk score. The Service is operated from 612 South 4th Street, Philadelphia, PA 19147, United States. By creating an account or using the API, you agree to these Terms of Service (“Terms”).

2. Acceptable Use

You agree to use the Service only for lawful purposes. You may not:

• ✗Use the API to assist in unauthorized scanning, probing, or attacking third-party systems.
• ✗Resell, sublicense, or redistribute API access or data without our prior written consent.
• ✗Circumvent, disable, or interfere with rate limits, authentication, or security controls.
• ✗Use the Service to build a competing product that substantially replicates its core functionality without a commercial license.
• ✗Scrape, bulk-export, or cache data in ways that are inconsistent with the permitted use of our upstream data sources (NVD, CISA, FIRST).
• ✗Use the Service in any manner that violates applicable law, including export control or sanctions regulations.

We reserve the right to determine, in our sole discretion, whether use violates this policy.

3. Account Registration & Termination

You must provide a valid email address to create an account. You are responsible for maintaining the confidentiality of your API key and all activity under your account. You must notify us immediately at [email protected] if you suspect unauthorized use.

We may suspend or permanently terminate your account, without prior notice, if we determine that you have violated these Terms, engaged in abusive or fraudulent behavior, or if required to do so by law. Upon termination, your API keys will be deactivated and your access to paid features will cease. Paid subscription fees already charged are non-refundable upon termination for cause.

4. Rate Limits & Service Availability

Each plan carries defined daily and per-minute API request limits. These limits are enforced server-side and requests exceeding your tier will receive a 429 Too Many Requests response.

No Service Level Agreement (SLA) is provided for the Free tier. Paid plans receive commercially reasonable uptime efforts, but we do not guarantee any specific uptime percentage. The Service is provided “as available.” We reserve the right to perform maintenance, modify rate limits, or deprecate endpoints with reasonable notice where possible.

5. Payment, Subscriptions & Refunds

Paid plans (Basic at $9.99/month, Pro at $29.99/month) are billed on a recurring monthly basis via Stripe. By subscribing, you authorize us to charge your payment method on the same date each month until you cancel. All prices are in USD.

Cancellation: You may cancel your subscription at any time through the billing portal in your dashboard (Dashboard → Billing → Manage Subscription). Cancellation takes effect at the end of the current billing period; you retain access to your paid tier until that date.

Refunds: We do not provide refunds for partial months or unused API requests. If you cancel mid-cycle, your subscription remains active through the paid period with no prorated refund. Exceptions may be made at our sole discretion for billing errors — contact [email protected].

Failed payments: If a payment fails, we will notify you by email. If payment is not resolved within 3 days, your account will be downgraded to the Free tier. We are not liable for any loss of data or service access resulting from a failed payment.

6. Data & Limitation of Liability

CVE data provided through the Service is sourced from NVD, CISA KEV, and FIRST EPSS. While we make reasonable efforts to keep data current and accurate, we make no warranties about completeness, accuracy, or fitness for a particular purpose. RiskScore scores are informational tools only and are not a substitute for professional security assessment, penetration testing, or expert advisory services.

THE SERVICE IS PROVIDED “AS IS” AND “AS AVAILABLE” WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT.

TO THE MAXIMUM EXTENT PERMITTED BY LAW, RISKSCORE SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, OR ANY LOSS OF REVENUE, PROFITS, DATA, OR GOODWILL ARISING FROM YOUR USE OF OR INABILITY TO USE THE SERVICE. OUR TOTAL AGGREGATE LIABILITY TO YOU SHALL NOT EXCEED THE AMOUNTS YOU PAID TO US IN THE THREE (3) MONTHS PRECEDING THE CLAIM.

7. Intellectual Property

The RiskScore composite scoring methodology, API design, dashboard, and all associated software are owned by or licensed to RiskScore. Underlying CVE data is publicly available from government and nonprofit sources. We grant you a limited, non-exclusive, non-transferable license to access and use the Service for your internal business or personal security purposes, subject to these Terms.

8. Governing Law & Disputes

These Terms are governed by the laws of the Commonwealth of Pennsylvania, United States, without regard to conflict-of-law principles. Any dispute arising under these Terms shall be resolved exclusively in the state or federal courts located in 612 South 4th Street, Philadelphia, PA 19147, and you consent to personal jurisdiction in those courts. If any provision of these Terms is found unenforceable, the remaining provisions continue in full force.

9. Changes to These Terms

We reserve the right to update these Terms at any time. When we make material changes, we will update the effective date above and, where appropriate, notify you by email. Your continued use of the Service after changes become effective constitutes your acceptance of the revised Terms.

10. Contact

Questions about these Terms? Email us at [email protected]. We aim to respond within 5 business days.