1. Scope
This Acceptable Use Policy applies to your use of Ravenstash, including the public website, hosted app, developer API, package upload and download endpoints, repositories, packages, upstream cache features, automation tokens, team workspaces, support channels, and related services.
This policy supplements the Terms of Service. Ravenstash may enforce this policy against accounts, workspaces, repositories, packages, versions, artifacts, tokens, traffic, and support interactions.
2. Lawful and authorized use
You may use Ravenstash only for lawful purposes and only in ways that you are authorized to use it. You may not use Ravenstash to violate laws, regulations, sanctions, export controls, court orders, contracts, third-party rights, package ecosystem rules, or another person's privacy or security.
3. Malware and harmful packages
You may not upload, publish, cache, store, distribute, trigger, or help deliver code or content that is designed to harm, disrupt, surveil, steal, deceive, or gain unauthorized access.
Prohibited uses include:
- Malware, ransomware, spyware, destructive scripts, botnet tooling, worms, droppers, loaders, backdoors, or persistence mechanisms.
- Credential theft, token harvesting, phishing kits, fake login flows, session hijacking, keylogging, or secret-exfiltration tooling.
- Packages that execute unexpected network calls, destructive commands, crypto-mining, surveillance, or data collection without clear authorization.
- Obfuscated, packed, or evasive packages used to hide prohibited behavior.
- Packages that attempt to disable security tooling, tamper with package clients, or bypass build, install, or runtime controls.
4. Supply-chain attack tactics
You may not use Ravenstash to conduct, prepare, disguise, or assist supply-chain attacks against private projects, public package ecosystems, customers, maintainers, or package users.
Prohibited tactics include:
- Dependency confusion attacks or packages intended to be selected instead of an intended private or public dependency.
- Typosquatting, brand impersonation, misleading package names, misleading scopes, or metadata intended to trick users into installing the wrong package.
- Namespace hijacking, maintainer impersonation, unauthorized package takeover, or release activity that falsely suggests endorsement or ownership.
- Malicious install scripts, post-install hooks, build steps, repository URLs, release notes, or package metadata.
- Version flooding, package churn, metadata spam, or automated package creation intended to confuse users or degrade registry integrity.
5. Security research
Security research must be authorized, targeted, and non-destructive. You may not access, test, scan, or probe Ravenstash systems, other users' repositories, third-party systems, public registries, or package clients without authorization.
Do not attempt privilege escalation, data exfiltration, persistence, denial of service, social engineering, credential harvesting, or actions that degrade service for others. Report security concerns to support@ravenstash.com.
6. System, network, and registry abuse
You may not interfere with Ravenstash, its providers, other users, package clients, public registries, or third-party systems. This includes denial-of-service activity, credential stuffing, password spraying, scraping that ignores limits, unauthorized scanning, spam requests, excessive retries, cache abuse, upload abuse, download abuse, or attempts to bypass rate limits and access controls.
You may not use upstream cache features to overload, scrape, mirror, evade controls, or violate the terms of public registries.
7. Fair use and resource limits
Ravenstash is for software package registry workflows. You may not use Ravenstash as a generic cloud storage drive, backup system, file-sharing service, CDN, malware sandbox, crypto-mining platform, traffic relay, artifact dump, or distribution channel for files unrelated to package management.
You may not create unreasonable load, storage, bandwidth, support burden, operational risk, security risk, or cost for Ravenstash or its providers. We may apply technical limits, throttling, quotas, cache controls, or other safeguards to protect service integrity.
8. Credentials and access controls
You must keep passwords, passkeys, device sessions, automation tokens, API tokens, package-client credentials, and CI secrets secure. You may not share personal logins, publish tokens, embed secrets in packages, or use credentials that you are not authorized to use.
If credentials are exposed or compromised, revoke them promptly and notify Ravenstash when the exposure could affect the service or other users.
9. Content, intellectual property, and privacy
You may not use Ravenstash to upload, store, cache, or distribute content that infringes intellectual property rights, violates privacy rights, violates confidentiality obligations, or is unlawful, deceptive, defamatory, abusive, or harassing.
Do not store highly sensitive personal data, payment card data, protected health information, government identifiers, authentication secrets, or regulated data in packages, metadata, logs, repository names, or support messages unless Ravenstash has expressly agreed to that use in writing.
10. Copyright and DMCA notices
Ravenstash responds to copyright and intellectual property reports. To submit a DMCA notice or other rights complaint, email support@ravenstash.com with enough detail for us to review the issue.
A copyright notice should include:
- Your physical or electronic signature.
- Identification of the copyrighted work or other right you claim was infringed.
- Identification of the package, repository, URL, artifact, or other material you believe is infringing.
- Your name, organization if applicable, mailing address, phone number, and email address.
- A statement that you have a good-faith belief that the disputed use is not authorized by the rights holder, its agent, or the law.
- A statement that the information in the notice is accurate and, under penalty of perjury, that you are the rights holder or authorized to act for the rights holder.
If you believe material was removed or restricted by mistake, you may send a counter-notice with your contact information, identification of the removed material, a statement under penalty of perjury that you have a good-faith belief the material was removed or disabled by mistake or misidentification, and your consent to the jurisdiction required by the DMCA.
11. Package scanning and enforcement
Ravenstash may scan, inspect, hash, classify, quarantine, block, remove, or restrict packages, artifacts, metadata, repositories, tokens, accounts, traffic, and upstream cache activity to detect malware, vulnerabilities, policy violations, abuse, fraud, security risk, rights violations, or operational risk.
Ravenstash may suspend, terminate, throttle, rate-limit, delete, preserve, or disable access to packages, repositories, workspaces, tokens, or accounts immediately and without advance notice when we believe action is needed to protect Ravenstash, users, providers, package ecosystems, public registries, or third parties.
We may notify workspace administrators, affected parties, service providers, public registries, law enforcement, or rights holders where appropriate.
12. Reporting abuse
To report abuse, rights issues, security concerns, or harmful package activity, contact support@ravenstash.com. Include the package name, repository, URL, account or organization if known, timestamps, logs, and a short explanation of the concern.
Need the product instead of the policy? Create an account.
