Tuck Sentinel

Authorization Scope

Last updated: 2026-05-09. This page summarizes the authorization scope that customers accept before any QuickCheck assessment begins. The full authorization form is sent by email after intake.

What this authorizes

A fixed-scope, read-only review of one customer-owned/administered Linux VPS or Amazon EC2 host. The auditor reviews customer-run, customer-redacted, read-only evidence covering common posture areas: OS/kernel/package update status, SSH/firewall/listening service posture, admin user/group/key metadata, logging/time sync/backup indicators, Docker basics if present, and EC2 metadata-service posture if applicable.

What is not authorized

  • Exploit attempts or vulnerability weaponization.
  • Password guessing/cracking, phishing, social engineering, credential harvesting, stealth or evasion testing.
  • Denial-of-service, load testing, command-and-control, or simulated malicious traffic.
  • Production configuration or data changes.
  • Testing systems not listed in scope.
  • Access to private keys, secrets, application data, customer records, databases, regulated data, or personal data.
  • Public disclosure of findings without separate written consent.
  • Direct server access or remediation by default; either requires a separate written engagement.

AWS-specific scope

For AWS or EC2 targets, only customer-owned or customer-configured resources are in scope. AWS infrastructure and AWS-managed services themselves are out of scope. No DoS/flooding/load testing, command-and-control simulations, DNS/S3/subdomain-takeover testing, or other provider-restricted testing is authorized.

Customer responsibilities

  • Confirm ownership/admin authority before work starts.
  • Run the read-only collector and review/redact output before sharing.
  • Avoid sending secrets, private keys, tokens, .env files, databases, shell history, or customer records.
  • Maintain backups and operational responsibility for the host.
  • Decide whether and how to apply any remediation recommendations.

Deliverable and limitations

The deliverable is a Markdown/PDF-ready point-in-time advisory report with prioritized findings, evidence excerpts, and remediation recommendations. It is not a penetration test, compliance certification, legal opinion, insurance attestation, incident-response report, or security guarantee.

Validity window

Authorization applies only to the target and scope listed in the signed authorization form, during the window the customer specifies in that form.

Back Privacy Terms of Service
Home · Inbox/DNS · Inbox Cleanup · Sample report · Authorization scope · Refund policy · Privacy · Terms
Tuck Sentinel — independent. Not affiliated with, endorsed by, or certified by Google, Yahoo, Microsoft, AWS, Cloudflare, Stripe, Tally, or any email or cloud provider. Contact: support@richgibbs.dev.