Last updated: July 6, 2026
This Acceptable Use Policy ("AUP") governs use of the Harbor Hub platform (the "Service") and is incorporated into the Harbor Hub Terms of Service. Capitalized terms not defined here have the meanings in the Terms of Service.
The Service is built to run agent workloads — benchmark tasks, trials, and rollouts — in isolated, containerized environments. Much of what makes it useful (executing arbitrary code, evaluating agents against security challenges, stress-testing model behavior) is legitimate only inside those sandboxed environments. This AUP draws that line.
1. Prohibited Uses
Customer may not use the Service, and may not permit or instruct any workload or agent running on the Service, to:
Target systems outside Customer's Executions.
- Access, probe, scan, or attack any system, network, or service that is not part of Customer's own Execution environments, unless Customer owns that system or has documented authorization to test it.
- Attempt to escape, bypass, or defeat the Service's container, network, or tenant isolation, or to access other customers' workloads or data or the Service's underlying infrastructure.
- Use the Service as a source of denial-of-service attacks, credential stuffing, port scanning of third parties, spam, phishing, or other abusive traffic.
Distribute harm beyond the sandbox.
- Exfiltrate, publish, or deploy malware, exploits, or attack tooling developed or exercised within an Execution for use against systems without authorization.
- Use outputs of the Service to plan or carry out unlawful activity.
Run prohibited workloads.
- Cryptocurrency mining or proof-of-work computation, unless expressly authorized in writing.
- Workloads that intentionally circumvent metering, quotas, or billing, or that are designed to degrade the Service for other customers.
- Reselling or providing third parties access to the Service's raw compute other than through Customer's own product built on documented interfaces, unless agreed in writing.
Submit prohibited content.
- Content that is unlawful, infringes third-party intellectual property or privacy rights, or that Customer lacks rights to use.
- Child sexual abuse material, or content that facilitates serious harm to persons, under any circumstances, including inside task environments.
- Live production credentials, secrets, or regulated personal data (e.g., PHI, cardholder data) embedded in task environments, except where necessary and protected by appropriate agreements with Company.
Violate upstream policies.
- Use third-party AI models through the Service in violation of the applicable Model Provider's usage policies, including using the Service to circumvent a Model Provider's safety systems or access restrictions.
2. Permitted Security and Safety Evaluation
For clarity, the following are permitted when conducted entirely within Customer's isolated Execution environments on the Service:
- Running security benchmarks, capture-the-flag challenges, and vulnerability-discovery or exploitation tasks against targets that are part of the task environment itself.
- Evaluating agent or model behavior on adversarial, red-teaming, or safety test content, including tasks designed to elicit unsafe behavior for measurement purposes.
- Executing untrusted or intentionally vulnerable code as part of a task environment.
These activities must remain contained: they may not target the Service's infrastructure, other tenants, Model Providers' systems, or any external third party, and their artifacts may not be weaponized outside the sandbox. Where a Model Provider's policy requires notice or authorization for safety testing through its API, Customer is responsible for obtaining it.
3. Resource Use
Customer must use the Service within the quotas and limits of its plan. Company may throttle or terminate Executions that substantially exceed reasonable resource use for their workload class, that appear runaway or stuck, or that degrade Service stability, and will use reasonable efforts to notify Customer when it does so.
4. Reporting and Enforcement
- Report suspected vulnerabilities in the Service to legal@harborframework.com. Do not test the Service's own security without written authorization.
- Company may investigate suspected AUP violations and may suspend or terminate Executions, accounts, or access as described in the Terms of Service. Where practicable, Company will notify Customer and give an opportunity to cure before suspension.
- Company may report unlawful activity to law enforcement where required or appropriate.
Questions: legal@harborframework.com