Disclaimer & Limitations

FixVibe runs automated checks against URLs and hostnames you submit. The checks are heuristic: they look for patterns commonly associated with security misconfigurations and vulnerabilities. Pattern-matching is fundamentally lossy. We can — and sometimes do — produce false positives and false negatives.

FixVibe is not:

• a substitute for a human penetration test or a qualified security engineer's review;
• a guarantee that your application is secure if no findings appear;
• a guarantee that any finding is exploitable in your environment;
• professional or legal advice of any kind;
• a compliance-certification tool (FixVibe is not SOC 2, ISO 27001, PCI DSS, HIPAA, or any other framework's “official” auditor — check our acceptable-use policy for what we do and do not attest to).

False positives. A finding labeled “critical” does not always mean your application is critically vulnerable. The check may have triggered on a pattern that, in your specific stack, is benign — for example, a 403 response from an edge firewall that is correctly blocking a request, not exposing a file. We work hard to suppress false positives but cannot eliminate them.

False negatives. A clean scan does not prove your application is secure. Heuristic checks miss vulnerabilities that require domain knowledge, business-logic understanding, multi-step chains, or test cases we have not implemented. The absence of a finding is not a security guarantee.

For systems where security is critical to your business, you should layer FixVibe with periodic professional penetration testing, a bug-bounty program, and rigorous code review.

Some FixVibe findings include suggested remediations — written instructions, code snippets, or text intended to be passed to an AI coding assistant. These suggestions are generated automatically, in some cases by a large language model. They are intended as a starting point for your own investigation, not as drop-in code.

Before applying any suggested remediation, including any text we label as a “prompt” or “fix,” you must:

1. read it in full and confirm you understand what it changes;
2. confirm it is appropriate for your specific stack, framework version, and configuration;
3. test it in a staging environment that mirrors production;
4. review the diff with someone qualified before merging;
5. be prepared to roll back if the change causes unexpected behavior.

Pasting an AI-generated suggestion straight into production code without review is at your own risk. EGO HERO LLC accepts no liability for outages, data loss, security regressions, or other damages caused by applying a FixVibe-suggested fix without independent verification.

Active scans perform bounded verification against your application. While we rate-limit, use a distinctive User-Agent (FixVibeScanner/1.0), and avoid known destructive patterns, active probing can in rare cases:

• cause slowdowns or error spikes;
• create test rows in your database via injection probes;
• trigger your monitoring, paging, or WAF block lists;
• consume third-party API quotas (e.g., upstream search providers, SMS gateways) if your endpoints proxy to them.

We strongly recommend running active scans against staging environments. If you must scan production, do so during a maintenance window. By initiating an active scan, you acknowledge and accept these risks.

Our severity labels (critical, high, medium, low, info) are calibrated against typical web applications. They do not consider your specific threat model, user population, regulatory environment, or asset value. A “low” finding may be material risk for a fintech handling client funds; a “critical” finding may be irrelevant for a static blog. You are best positioned to translate a finding into a real-world risk.

You are solely responsible for confirming you have authority to test every URL or hostname you submit. Active scans, even though we require ownership verification, do not relieve you of this responsibility — verification proves you control the DNS or HTTP response of a target, not that you have legal or contractual authority to test it (for example, an SaaS app you operate on a subdomain of a domain you control might still be subject to its cloud provider's acceptable-use rules). See our Acceptable Use Policy for the full picture.

EGO HERO LLC's liability for any claim arising from your use of FixVibe is governed by Section 10 of the Terms of Service, including the cap on aggregate damages. By using FixVibe you acknowledge that you have read and understood that section.

support@fixvibe.app.