Is scanning legal?

Similarly to organizations such as Shodan and Censys, Shadowserver performs daily port scanning of the entire IPv4 Internet, from computers physically located in the USA, where port scanning is not prevented by Federal law. For detailed analysis of the legality of Internet-wide scanning, please see articles by Nmap and Rapid7. We do this as Shadowserver to help make the Internet more secure for everyone, but unlike serivces such as Shodan and Censys, we decided not make our scan data available for public searching. Instead, we only notify vetted network owners who have subscribed to our free daily reports about potential misconfiguration or abuseable services exposed on their network, that could be used to attack others (such as in reflective DDoS amplification attacks), as well as their appropriate National CERT/CSIRT – this data is solely for the purposes of remediation. We believe that this approach strikes an ethical balance between improving the security of the Internet as a whole and not doing harm, such as by exposing potential vulnerability data to open, anonymous public searches that could otherwise be used by attackers to locate and exploit/abuse vulnerable systems.  (Learn more about our scanning here.)

Other Questions