Governance & intended use

OpenHuizeBox ships features that overlap with tooling commonly used to evade commercial-software sandbox detection. This page makes the intended audience, the scope boundary and the contribution gate unambiguous.

Intended use

1. Authorised privacy-audit research. Studying how a piece of commercial, enterprise or mobile software collects, hashes and transmits host-identifying signals — on hardware you own or are contracted to analyse.
2. Malware sandboxing and reverse engineering against samples the researcher is legally authorised to possess.
3. Teaching and reproducing endpoint-profiling attack surfaces in academic and training contexts.
4. Compliance reproduction. Demonstrating specific regulator-facing claims (GDPR Art. 5 data-minimisation, PIPL Ch. 2, CCPA § 1798.100) with a reproducible test harness.

Out of scope — we will not help with

1. Evading commercial anti-fraud controls on bank, payment, gambling or e‐commerce platforms.
2. Mass-scale generation of distinct synthetic identities for the purpose of abusing rate limits, loyalty programs, trials, review systems or referral schemes.
3. Evasion of advertiser fraud detection.

If your use case sits near the border between these lists, open a GitHub issue tagged governance before starting any implementation work.

Technical scope statement

OpenHuizeBox implements identity shaping at three layers, each with a corresponding audit path:

L1 — extradata

DMI/SMBIOS/ACPI strings, disk model and serial, NIC OUI, CPUID brand. Entirely configuration, fully auditable via VBoxManage getextradata <vm> enumerate.

L2 — build-time flags

VBOX_WITH_HARDENING is kept enabled; paravirt interfaces are disabled by default.

L3 — optional in-guest agent

Opt-in scripts that shape registry keys and WMI responses from inside the guest OS.

OpenHuizeBox does not ship:

• RDTSC / TSC smoothing patches to the VMM.
• SIDT / SGDT / SLDT redirection.
• MSR-access filtering or silent passthrough of CPU-identification MSRs.
• Runtime patching of the Oracle SUPDRV device name or namespace.

These are documented as out-of-reach on the detector-coverage matrix, with the reasoning for each.

Contribution gate

Pull requests must declare which layer they touch and which intended-use category they serve. Contributions whose only applicable use case falls under “out of scope” are closed without review. Contributions that touch VMM-level code (L4+) are redirected at the design-proposal stage — open a discussion first.

Governance changes (this document, ACCEPTABLE_USE.md, CODE_OF_CONDUCT.md) require a commit with [GOVERNANCE] as a separate commit prefix so they can be reviewed on their own.

Licensing

Dual-licensed:

• GPL v3 — VBox-derivative code ( vbox-upstream fork and any built binaries). Oracle VirtualBox OSE is GPL v3; derivatives inherit.
• Apache License 2.0 — standalone toolkit (modules/, build/, installer/, tests/, docs/). Independent code.

If a question touches both, GPL v3 wins. Users who redistribute modified binaries are reminded of their GPL § 6 source-disclosure obligations.

Disclosures

The OpenHuizeBox Project has no commercial sponsor and no paid contractors. No vendor funds features to be added or removed. If the funding model ever changes, it will be disclosed here before any sponsored work lands.

Trademarks

"VirtualBox" and "Oracle" are trademarks of Oracle Corporation. OpenHuizeBox is not affiliated with or endorsed by Oracle.