24 days ago
Dear Railway Community
I am a security researcher seeking to understand how your Acceptable Use Policy applies to threat intelligence gathering activities.
The research aims to identify misconfigured HTTP servers that are being abused by threat actors as malicious infrastructure. This would involve lightweight scanning of specific ASNs to check for open ports (80, 8080, 8000) and list accessible directories. The scan data would then be manually reviewed to determine if the exposed assets contain attacker staging tools or other indicators of compromise.
To be clear, the scanning would:
Be limited to a small set of ports on selected ASNs
Only interact with publicly accessible services, without any authentication bypass
Minimize impact through strict rate limiting and a "lightweight touch"
Restrict data use to manual analysis to identify attacker infrastructure
This approach has previously assisted us and other companies in better understanding the tactics, techniques and targets of threat actors. Any confirmed malicious infrastructure identified would be published as research on hexforge.org to benefit the security community.
We would not be exploiting any vulnerabilities, actively interfering with services, or disclosing data related to non-attacker systems.
My questions are:
Would this tightly-scoped, minimally invasive threat intelligence gathering focused on identifying attacker infrastructure violate your AUP or Terms of Service?
If so, are there modifications to the methodology that would make it compliant, such as further limiting scan scope or depth?
If this activity is not permitted, could you clarify which provisions of the AUP or ToS it would violate so I can ensure full understanding?
I appreciate you taking the time to review this request. My aim is to ensure any research activities fully comply with your platform's policies. Please let me know if you need any clarifications or additional details.
1 Replies
Status changed to Awaiting Railway Response Railway • 24 days ago
24 days ago
Typically this would not be allowed, but given the tight constraints you have put forth, I see no issue, so you are more than welcome to proceed, but please keep in mind that if our automated systems find that what you're doing is beyond what we want to support and your account gets put into a restricted state, that would not be something you can appeal.
Status changed to Awaiting User Response Railway • 24 days ago
17 days ago
This thread has been marked as solved automatically due to a lack of recent activity. Please re-open this thread or create a new one if you require further assistance. Thank you!
Status changed to Solved Railway • 17 days ago