Section 1 — What you can do
You are welcome to use free or licensed OSM data for non-commercial purposes. Research- Studying malware trends, threat actors, campaigns, or attack techniques.
- Academic or independent security research.
- Using threat records to investigate whether your organization has been exposed to a known threat.
- Checking whether a software package is malicious before using it in your own projects.
- Building an internal platform to serve internal customers (for example, security analysts).
- Feeding OSM data into your internal tools, processes, or pipelines to help your security team work more effectively.
- Responding to a security incident inside your own organization.
- Producing internal reports, briefings, or executive summaries that draw on OSM data — including sharing those with leadership, legal counsel, or your cyber insurer in connection with an incident.
The prohibition in Section 3 applies to copying the OSM database for external redistribution, not to using the API at scale for your own security operations. See Section 4 for more on API use.
Section 2 — Requires explicit permission and a license
If you use OSM data to build or deliver something that provides value to people outside your organization, you need an Enterprise License Agreement before you begin. This includes:- Building a commercial product that uses OSM data as a source — for example, a threat intelligence platform (TIP/CTI), an AppSec or ASPM tool, a vulnerability management product, a security dashboard, or any other product where OSM data improves what you deliver to your customers.
- Offering a managed security service (MSSP), consulting service, or incident response service where OSM data is part of what your clients receive.
- Any other situation where OSM data contributes to value you provide to a third party.
- Incorporating OSM data into a separate database or dataset that you share or sell.
- Using OSM data to train machine learning or AI models for commercial purposes.
To discuss an Enterprise License, contact us at info@osmsecurity.com.
Section 3 — What is never allowed
Regardless of your subscription tier, no user may harvest or stockpile OSM data beyond what the API is designed to provide. This prohibition applies to all automated tools — bots, scrapers, and crawlers — and cannot be unlocked by any subscription plan.Section 4 — Using the API
Using OSM APIs as part of your legitimate security work is encouraged. Automated lookups, integrations with your internal tools, and pulling data into your workflows are all intended API uses. What is not allowed is using automated tools to systematically harvest and copy the entire dataset — for example, crawling every record in the database to build your own copy of it. This is true regardless of your subscription tier.Section 5 — Data ownership and license
All data provided by OpenSourceMalware remains the exclusive property of OpenSourceMalware. By creating an account and using this service, you are granted a limited, non-exclusive, non-transferable, revocable license to access and use the data for the purposes described in Section 1. This license does not include the right to redistribute, resell, sublicense, or use the data for commercial purposes as described in Sections 2 and 3.Section 6 — Enforcement
If you violate these terms:- Your access to the service may be terminated immediately.
- Your license to use OSM data is automatically revoked.
- You may be held liable for damages, including any profits derived from unauthorized use.
We would rather work with users to resolve unintentional violations than take enforcement action. If you think you may have crossed a line — especially if it was unintentional — please reach out at info@osmsecurity.com.
Section 7 — Reporting violations
If you become aware of someone using OSM data in a way that violates these terms, please report it to info@osmsecurity.com.Last updated: March 2026