Flagpole Security
LEGAL / SCOPE

Authorization and scope boundaries.

This legal-adjacent page explains what an account claim permits, what it does not permit, and when separate written authorization is required before deeper testing begins.

Report claim

The basic account claim is intentionally lightweight. The user confirms they are the owner, operator, employee, agency, or authorized representative for the website, then the report attaches to the account.

  • Same-domain email can reduce friction.
  • Non-matching email domains may need support review.
  • Claiming a report does not approve broader testing.

Deeper testing

Authenticated journeys, uploads, payment flows, AI usage, abuse testing, or broader review need explicit scope. That should be handled in writing before work begins.

Include

Domains, apps, test accounts, login roles, allowed workflows, testing window, and contact people.

Exclude

Production disruption, customer data extraction, spam, brute force, KYC or payment submissions, and unrelated third-party systems.

Useful limits

  • Spend, credits, provider calls, and email sends.
  • Rate, volume, uploads, and storage.
  • What to do if a severe issue appears.
  • How scope changes get approved or paused.

Need to manage a report?

Claim access to keep documents, service requests, retests, and support history attached to the right website.

Open account