Community Bans — Terms of use
v1.0 · effective 2026-05-27
These terms apply to the unmask.sh Community Bans service: the endpoints at
https://unmask.sh/api/feed/* and the published file
https://unmask.sh/api/feed/list.json. By submitting reports, votes,
or comments (= using the Submit opt-in or the inline actions on the
Bans page), you accept these terms. Subscribing (= subscribe_enabled,
pulling read-only data) does not require acceptance.
1. What you may submit, vote on, or comment on
- IP address, JA4 fingerprint, free-text reason, and a free-text comment (≤ 280 chars) tied to a BAN button press in your own unmask installation.
- 👍 / 👎 votes on other installs' submissions and follow-up comments (≤ 280 chars) when you have first-hand information about the reported traffic.
- Optionally a 2-letter ISO country code identifying your install's
location (= opt-in only via the
publish_countrysetting; default OFF). Never the reported client's country. - Submissions / votes / comments must be backed by your own evaluation of the traffic. Do not submit reports about clients you have not actually observed on infrastructure you operate.
2. What you must not submit
- Personal data (PII), credentials, secrets, or content from any third-party service in any free-text field.
- Reports, votes, or comments motivated by spam, harassment, retaliation, or competitive interference.
- Reports against IPs you know are search-engine crawlers, legitimate monitoring services, or your own infrastructure.
- Mass-voting or sock-puppet voting from multiple installs you operate to manipulate the aggregate score. The hub's abuse detection rate-limits this.
- Anything illegal under the laws applicable to you.
3. Public visibility
The following fields are visible to anyone pulling the Community Bans feed or browsing it via the admin UI:
- Your install's derived handle name (HN, e.g. "swift-otter-a3f7"), opt-in country code, and every free-text reason / comment you attach.
- Your vote kind (like / bad) and the parent submission you voted on. Votes are not anonymous; the HN is shown.
- The 5-tier aggregate score assigned by the hub and the short reasoning string produced by the heuristic and/or AI judge.
Do not include anything you would not say in public. Do not assume votes are anonymous.
4. Licensing of your submissions, votes, and comments
You grant unmask.sh and every subscriber a perpetual, worldwide, royalty-free license to copy, store, display, aggregate, judge, and redistribute the data you submit, vote on, or comment on, for the sole purpose of operating and consuming the Community Bans service. You retain ownership of your own data.
5. How the hub uses submissions
- Submissions are stored in a hub-side database keyed by the SHA-256 of an anonymous token (= no email, no account). Raw tokens are never persisted.
- The hub aggregates by (IP, JA4) pair, folds in vote / comment counts, and computes a 1-5 score. A configurable LLM judge may re-evaluate the same structured signals (no raw IPs, no operator metadata are sent to the AI provider).
- Public-feed entries rotate out on a relevance-driven window so old one-off reports do not keep showing up; see the privacy policy for the full retention model. Reporter-side per-day salted IP hashes are scrubbed on a short rolling window independent of any other retention, so reporter anonymity is preserved.
- The hub may reject submissions or revoke tokens that appear abusive (= mass false reports, sock-puppet voting, rate-limit violations).
6. Auto-apply is opt-in and defaults to captcha
The browse feed includes both promoted entries (= score ≥ 3 → published to the banlist) and reports-only entries (= score 1-2 → visible for context but not propagated). Subscribers may optionally copy promoted entries above a configurable score threshold into their own BAN list with a configurable action. The shipped defaults are:
- Threshold = 5 (= near-certain bots only).
- Action = captcha_only — the Feed never causes a 403 by default. Real humans on flagged IPs still reach the site after one CAPTCHA.
Operators who change either default are responsible for the operational consequences (= false positives, escalated friction for legitimate users).
7. No warranty, no liability
The Community Bans service is provided as-is, with no warranty of any kind. unmask.sh is not liable for damages arising from feed accuracy, downtime, false positives, AI judge mistakes, or the operational decisions you make based on it. You are responsible for your own infrastructure and your own BAN list configuration.
8. Revocation, deletion, and corrections
You may stop submitting at any time (= flip submit_enabled off
in admin). You may delete your own submissions, comments, and votes
individually from the Bans page (= the inline × buttons in the detail
panel). To remove every row associated with your token at once, use the removal request form with the HN your install
displays.
Reported parties: if a banned IP is yours and should not be on the feed, use the removal request form with the IP. We will remove the entry.
9. Changes
We may update these terms. Material changes will require re-acceptance in admin before further submissions are accepted.
This document is not legal advice. unmask is an open-source project; consult counsel before relying on these terms for compliance in your jurisdiction.
See also: Privacy policy.