document-integrity-verifier / ACCEPTABLE_USE.md
cronos3k's picture
Initial deploy: Document Integrity Verifier (LEGX)
ea53eb9 verified
|
Raw
History Blame Contribute Delete
5.64 kB
# Acceptable Use Policy
This Acceptable Use Policy ("**AUP**") forms part of the licence terms
under which the LEGX toolkit (including the Document Integrity Verifier)
is made available. It is incorporated by reference into the [LICENSE](LICENSE)
file. Where the LICENSE permits a use, this AUP narrows that permission.
Violating this AUP terminates your licence under the terms in the LICENSE'
**Violations** section.
The terms "**Software**", "**licensor**", "**you**", and "**your company**"
have the meanings given to them in the LICENSE.
The Software is a **defensive tool**. It exists so that humans and
automated workflows can decide whether a document is being truthful about
itself before it reaches an AI ingestion pipeline. The Software was not
built to attack systems, generate adversarial content, or train models to
evade detection β€” and you may not use it to do those things.
---
## 1. Prohibited uses
You may not use the Software, or any part of it, to:
1. **Develop, train, fine-tune, evaluate, distribute, or operate
offensive AI capabilities** β€” including but not limited to prompt
injection tools, jailbreak generators, document-borne attack
templates, watermark removers, hidden-payload writers, OCR-evasion
models, or any other system whose primary purpose is to attack,
bypass, or weaken safety mechanisms of an AI system, a human reader,
or an organisation.
2. **Test attacks against any system you are not authorised to test.**
You are responsible for ensuring you have explicit, written, scope-
bounded authorisation before pointing the Software, its outputs, or
any derived artifact at production or third-party systems.
3. **Use detected patterns, regexes, or model outputs as training data,
reinforcement signal, or evaluation targets** for any system whose
purpose is to evade detection by this Software, by any other
defensive scanner, or by any AI safety mechanism. The lexicon and
the model verdicts are defensive signals; teaching attackers to
route around them defeats the entire point of the Software.
4. **Misrepresent Software output** β€” verdicts, detector matrices, OCR
diffs, or the written assessment β€” as compliance certification, as a
security audit by the licensor, or as a guarantee of safety. The
output is advisory; representing it otherwise is a deceptive practice
and a violation of this AUP.
5. **Strip, modify, hide, or work around the LICENSE, this AUP, the
`DISCLAIMER.md`, the `Required Notice` lines, or the in-app warnings**
in any distribution, fork, deployment, or derived work.
6. **Re-enable the authoring side of the LEGX toolkit (challenge
generation, transform catalogs, fixtures, blind-package tooling) in
a distribution presented as a "detector" or "scanner" to end users
without making the re-enabled authoring capability and its risks
unambiguously visible.** The detector-only export script
(`scripts/export_zerogpu_space.ps1`) is the canonical detector
distribution; forks that quietly re-enable authoring are out of
scope of any licence granted to you.
7. **Process documents containing personal data, privileged
communications, or regulated information** with a **public** instance
of the Software (e.g. a public Hugging Face Space). Private,
self-hosted deployments are the appropriate channel for any
non-public material.
8. **Use the Software to generate, automate, or accelerate harassment,
discrimination, surveillance against political dissidents,
journalists or human-rights defenders, or any activity prohibited by
applicable law.**
## 2. Required disclosures for forks and derived works
If you distribute a fork or derived work:
1. Include this `ACCEPTABLE_USE.md` and the `DISCLAIMER.md` unmodified.
2. Preserve every `Required Notice:` line from the LICENSE.
3. State plainly that your fork is **not endorsed by, audited by, or
maintained by the licensor**.
4. If your fork modifies any detector, the lexicon, the reasoning
prompt, or the LLM verdict path, **document those modifications in a
`CHANGES.md`** so downstream users can decide whether they trust the
modified detection layer.
5. If your fork removes or weakens any safety check (size cap, GPU
timeout, work-dir cleanup, etc.), this is a material change and must
be flagged in `CHANGES.md` with the rationale.
## 3. Reporting abuse
If you become aware of a deployment that violates this AUP, please
contact the licensor (see [`COMMERCIAL.md`](COMMERCIAL.md)). Reports made
in good faith will be treated confidentially where the law allows.
## 4. Effect of violation
Per the LICENSE, the first time you are notified in writing of a
violation, you have 32 days to come into compliance. If you do not, **all
your licences end immediately**. Continued use after termination is
copyright infringement.
The licensor reserves the right to publicly identify deployments that
materially violate this AUP, especially where doing so protects users
from being misled about the safety guarantees of a defensive tool.
## 5. No defensive exception for offence
The fact that the Software detects an attack class does **not** grant
you permission to *create* that attack class, even for "research" or
"red-team" purposes, unless you are operating under (a) an explicit
authorisation from the target system's owner, (b) a published
responsible-disclosure policy, and (c) a written commitment not to
release weaponisable artifacts. This AUP narrows what counts as
"permitted purpose" under the LICENSE β€” defensive purpose is permitted;
offensive purpose is not.