VulscanBot

VulscanBot is the security-research crawler operated by Vulscan. It performs passive, external-only security checks on websites — no logins, no form submissions, no intrusion attempts. The crawler identifies itself in server logs with a User-Agent header containing VulscanBot.

I don't want my site scanned

We honour the standard robots.txt opt-out. To stop VulscanBot from visiting your site, add the following to your /robots.txt:

User-agent: VulscanBot
Disallow: /

A blanket disallow for every bot (User-agent: * with Disallow: /) is honoured too — if you already have one, nothing else is needed.

What happens after you opt out

• VulscanBot skips your site — no security scan runs.
• Without a scan there are no findings, so you won't receive any email notifications either.
• The opt-out applies to both bulk research and the public scanner at vulscan.app — an opted-out site can't even be tested through the web form.

The robots.txt check runs on every scan, so changes take effect immediately. If you later want to test your site yourself, just remove the entry from robots.txt.

Questions or complaints

Email hello@vulscan.app — we can also remove your site from the research set manually on request.