Terms of Service

These Terms of Service (Terms) govern your use of the cvebase.io website, API, MCP server, and related services (collectively, the Service). Throughout this document, we, us, and the operator refer to the legal entity identified below:

By creating an account, signing in via a third-party identity provider, or accessing the Service in any other way, you agree to these Terms and to our Privacy Policy. If you do not agree, you may not use the Service.

1. The Service

cvebase.io is an independent, aggregating search engine for publicly available security vulnerability data. We index content from public sources — including but not limited to NVD, CISA KEV, MITRE ATT&CK, ExploitDB, Sigma rule repositories, GHSA, and vendor advisories — and expose it through a website, a REST API, and a Model Context Protocol (MCP) server for AI assistants.

The Service is provided on an as-is and as-available basis. We do not produce the vulnerability data ourselves; we aggregate and enrich data from third-party sources, and the accuracy and completeness of that data is outside our control.

2. Account & eligibility

You may browse the Service anonymously with limited rate limits. Signing in creates an account authenticated through a supported third-party identity provider (currently GitHub and Google). You must be at least 16 years old to create an account. By creating an account you confirm that you are providing accurate information and that you are the legitimate holder of the identity provider account used to sign in.

You are responsible for all activity under your account, including any API keys you generate. If you suspect your account or an API key has been compromised, revoke the key immediately from your dashboard and contact us at [email protected].

3. Acceptable use

You agree not to use the Service to:

• Bypass or exceed the rate limits published on the documentation page, including by rotating IP addresses, creating multiple accounts, or otherwise circumventing enforcement.
• Resell, sublicense, or redistribute the Service, the API, or bulk exports of the underlying data, unless you hold an active Pro or Team subscription and such use is expressly permitted by the commercial use license.
• Attempt to reverse-engineer, decompile, or otherwise extract the source code of the Service or its embedding and ranking models.
• Use the Service or the data it exposes to facilitate unlawful activity, including unauthorised access to computer systems, weaponised exploitation of identified vulnerabilities, or any activity prohibited under the Czech Republic's Criminal Code or applicable international law.
• Automate account creation, submit fraudulent payment information, or use stolen credentials.
• Interfere with or disrupt the Service or the servers and networks it runs on, including through denial-of-service techniques or attempts to evade our abuse controls.

We reserve the right to suspend or terminate accounts that we reasonably believe are violating these rules, with or without prior notice depending on the severity of the violation.

4. Subscriptions, billing & trials

The Service is offered in a free tier and paid subscription plans (Pro and Team). Current prices and feature lists are shown on the pricing page.

Paid subscriptions begin with a seven (7) day free trial. You may cancel during the trial at no charge. If you do not cancel, the subscription automatically converts to a paid plan at the end of the trial and your payment method (collected at the start of the trial) will be charged. Subscriptions then renew monthly on the same day of the month until cancelled.

You may cancel at any time from your dashboard or the customer portal. Cancellation takes effect at the end of the current billing period — you retain access to paid features until that date. We do not issue pro-rated refunds for partial periods.

All payments are processed by Stripe Payments Europe, Ltd. (Ireland). We do not store full payment card details. By entering payment information you also agree to Stripe's terms.

5. Waiver of EU withdrawal right

Under Directive 2011/83/EU and Czech Act No. 89/2012 Coll. (Civil Code), consumers in the European Union have a fourteen (14) day right to withdraw from distance contracts for digital services without giving a reason. However, this right may be expressly waived in exchange for immediate access to the digital content or service.

When you complete the checkout and begin using the paid Service before the fourteen-day window expires, you expressly request immediate access and waive your statutory fourteen-day right of withdrawal. Stripe Checkout will ask you to confirm this waiver with a separate checkbox before payment proceeds.

This waiver does not affect your statutory rights where the Service fails to conform to these Terms.

6. Intellectual property

The cvebase name, logo, and the website design, embedding models, ranking logic, and source code of the Service are and remain our property. Nothing in these Terms transfers ownership of these to you.

The underlying vulnerability data is sourced from public third- party datasets. The original copyright or licence of each source continues to apply and is preserved in the source field of every API response.

Paid subscribers (Pro and Team) receive a non-exclusive, worldwide, non-transferable licence to use API responses in their own commercial products, internal tools, and research outputs, provided such use does not involve bulk redistribution of the Service itself as a competing product. Free tier users may use the Service for personal and non-commercial research only.

7. Data & privacy

Our processing of personal data is described in full in the Privacy Policy, which is incorporated into these Terms by reference.

8. Availability & maintenance

We aim to keep the Service running reliably but we do not guarantee any specific level of availability on the free tier. The Service may be temporarily unavailable for scheduled maintenance, data refreshes, or unforeseen incidents. No service level agreement (SLA) currently applies; separate SLAs may be offered under individually negotiated Team agreements.

9. Disclaimers & limitation of liability

The Service is provided as-is, without warranties of any kind, whether express or implied, including but not limited to merchantability, fitness for a particular purpose, accuracy of data, or non-infringement. You use the Service at your own risk and are solely responsible for any decisions you make based on the information it surfaces.

To the maximum extent permitted by applicable law, our total aggregate liability to you for any claim arising out of or related to these Terms or the Service is limited to the greater of (a) the amount you have paid us for the Service in the twelve (12) months immediately preceding the event giving rise to the claim, or (b) one hundred euros (€100). In no event shall we be liable for indirect, incidental, special, consequential, or punitive damages, or for loss of profits, revenue, or data.

Nothing in these Terms limits any liability that cannot be excluded or limited under applicable mandatory consumer protection law.

10. Termination

You may stop using the Service at any time. You may delete your account by contacting us at [email protected] — see the Privacy Policy for details on retention after deletion.

We may suspend or terminate your access to the Service at any time, with or without notice, if you breach these Terms or if we reasonably believe continued access poses a risk to the Service, other users, or third parties. Sections that by their nature should survive termination (intellectual property, disclaimers, limitation of liability, governing law) will survive.

11. Changes to these Terms

We may update these Terms from time to time. For changes that materially affect your rights, we will give you at least thirty (30) days' notice by email or by a prominent notice on the Service before they take effect. Continued use of the Service after the effective date constitutes acceptance of the updated Terms.

12. Governing law & disputes

These Terms and any dispute arising out of or in connection with them are governed by the laws of the Czech Republic, excluding its conflict-of-laws rules and the United Nations Convention on Contracts for the International Sale of Goods. The courts of the Czech Republic shall have exclusive jurisdiction, subject to any mandatory consumer protection rules that grant you the right to bring proceedings in the courts of your country of residence.

13. Contact

Questions about these Terms? Write to [email protected].