$ USD
Pre-Purchase Checklist: Red Flags, License Terms, and Per…
If you buy the wrong FiveM script, you won’t just waste money—you’ll inherit downtime, chargebacks, FPS complaints, and a support burden. Use this page as your pre-purchase gate: audit the vendor, decode the license, predict performance, and compare refund/update terms before you spend a cent.
Related reading (open in new tabs):
- How to Evaluate, Test, and Maintain FiveM Scripts — pillar process for sandboxing, CI, and long-term upkeep: https://fivemx.com/maintain-fivem-scripts/
- FiveM Asset Escrow: Limits, Myths, and Workarounds — what you can/can’t do when code is locked: https://fivemx.com/fivem-asset-escrow/
TL;DR — Quick Pre-Purchase Checklist
Vendor & Reputation
- Legal entity listed (name, country, registration or VAT).
- Active support (Discord/ticket/email) with response time < 24h.
- Public changelog; last update < 60 days.
- No unresolved scam/leak threads tied to the seller.
License & Policy
- Commercial use and multi-admin use allowed on your server.
- Refund window (≥ 7 days) with objective criteria.
- Update policy (lifetime or clear major/minor rules).
- FiveM Asset Escrow terms documented; performance-critical parts editable.
- No hidden telemetry / remote code execution without signatures.
Performance & Compatibility
- Resmon avg < 0.10 ms, p99 < 0.50 ms under expected load.
- No DB N+1; key queries indexed; timeouts handled.
- Framework support stated (ESX/QBCore/QBOX) and artifact/version range.
- No heavy global event handlers, no tight
while trueloops.
1) Vendor Due Diligence (Red Flags vs. Green Flags)
Green flags
- Registered business, VAT/Tax ID, country visible on storefront.
- Public changelog and issue tracker; frequent small updates > rare big ones.
- Clear product boundaries (compatible frameworks, server build tested).
- Support SLAs: first response <24h, bugfix ETA policy, security patch policy.
Red flags
- New store, no identity, only DMs for support.
- “No refunds ever” + no demo and no test server.
- “Lifetime updates” claim but no changelog or recent commit history.
- Reputation tied to leaks, bans, or mass DMCA disputes.
By the way: If a script is open source, it’s mostly high quality.
Vendor Audit Template (copy/paste)
| Field | Value |
|---|---|
| Vendor name | |
| Storefront URL | |
| Discord/Support URL | |
| Legal entity / Reg No. / VAT | |
| Country | |
| Age of store (months) | |
| Average response time | |
| Update cadence (days) | |
| Public changelog URL | |
| Price / Payment methods | |
| Dependencies (ESX/QBCore/etc.) | |
| Server build tested | |
| Refund policy summary | |
| Warranty / SLA | |
| Risk notes |
JSON schema (drop into your tracker):
{
"vendorName": "",
"storeUrl": "",
"support": { "discord": "", "email": "", "slaHours": 24 },
"legal": { "entity": "", "regNo": "", "taxId": "", "country": "" },
"reputation": { "disputesOpen": 0, "notes": "" },
"changelogUrl": "",
"updateCadenceDays": 30,
"product": {
"priceEUR": 0,
"dependencies": ["ESX", "ox_lib"],
"artifactTested": ">= 6148",
"frameworks": ["ESX", "QBCore"]
},
"policies": {
"refund": { "windowDays": 7, "conditions": ["not as described", "critical bug"] },
"updates": "lifetime",
"escrow": { "enabled": true, "editableFiles": ["config.lua"] }
},
"riskScore": 0,
"notes": ""
}
2) License Clause Cheat-Sheet (Decode Before You Buy)
| Clause | What good looks like | Red flags |
|---|---|---|
| Scope of Use | Commercial use on buyer-owned servers; unlimited players | “Personal use only,” per-IP lock, vague “non-commercial” |
| Seats/Instances | Per server/org with offline mode if DRM | Per-CPU/machine DRM, breaks on host migration |
| Modifications | Config edits allowed; source edits where escrow isn’t required | “No edits at all; edits void support” |
| Asset Escrow | Clear list of unencrypted files; performance-critical parts editable; fallback path | Everything locked; remote checks; no method to tune performance — see Asset Escrow |
| Updates | Lifetime or versioned policy spelled out (e.g., v1.x free) | “At-will” paid updates; no security patch commitment |
| Refunds | ≥ 7-day window; objective criteria; process documented | Blanket “no refunds,” no demo/test server |
| Telemetry | Opt-in, purposes & data categories listed, toggle in config | Hidden telemetry, device fingerprinting, outbound on start |
| Liability/Warranty | Bug/security warranty period; best-effort SLA | Full disclaimer, terminate anytime, no recourse |
| Termination | Notice + cure period | Immediate termination at sole discretion |
Tip: If escrow is used, confirm which Lua/NUI files remain editable (configs, translations, performance-critical loops) and whether the vendor provides profiling advice. If not, add points to the risk score.
3) Refund & Updates Policy — Comparison Worksheet
What to capture
- Refund window & conditions: objective testability (“not as described”, reproducible critical bug).
- Update policy: lifetime vs. major vs. minor; paid upgrades; security patches guaranteed.
- Transferability: can you transfer the license if you sell the server?
- Auto-updates: delivery mechanism and rollback plan.
| Vendor | Refund window | Conditions | Request method | Update policy | Paid upgrades? | Security patch policy | Transfers allowed? | Notes |
|---|---|---|---|---|---|---|---|---|
4) Performance Risk Model (Decide Before You Commit)
Acceptance targets
- Server CPU (resmon avg): < 0.10 ms idle & typical use; p99 < 0.50 ms under burst.
- Client FPS delta: baseline vs. with resource ≥ −5 FPS on mid-tier GPU.
- DB discipline: no N+1; indexing on foreign keys; timeouts handled.
- NUI: input→paint < 100 ms; no blocking
fetchloops. - Tick safety: no heavy work on global events; avoid
while true dobusy-waits; use timers.
Evidence to request from vendor
- Short resmon video/screens under scripted scenarios (idle, 8 players doing the core action).
- Explain/Analyze for heaviest queries; show index plan.
- NUI performance capture (DevTools Performance panel).
- Config toggles that lower draw calls or network spam.
5) Security & Compliance (Don’t Import a Backdoor)
Require:
- No remote code execution /
loadstringfrom HTTP without signature verification. - No hidden analytics or device fingerprinting (opt-in only, clear data categories).
- Clear handling for keys/activation in offline mode.
- No credential collection; no Discord token harvesting; no “anti-leak” that acts like malware.
Red flags: binary blobs with network calls, obfuscated HTTP endpoints, “phone-home” on start, or “anti-leak” that bans staff/admin IPs.
6) Price & ROI (Total Cost of Ownership)
TCO formula (rough):TCO = Price + (Paid updates over 12 months) + (Dependency licenses) + (Staff time to integrate & tune) + (Expected downtime cost)
If TCO > alternative’s TCO by 30% with equal features/perf, don’t buy.
7) Decision Framework (Pass/Fail + Risk Score)
Hard fails (auto-reject)
- No refund window and no demo/test server.
- Hidden telemetry or remote code without signatures.
- Last update > 6 months ago for mission-critical resources.
Risk score (0–100, lower is better)
Score each axis 0–20, sum:
- Vendor & Reputation
- License & Policies
- Performance & DB discipline
- Security posture
- Compatibility & Maintenance
Go/No-Go rule: Only buy if score ≤ 40 and no hard fails.
8) Print-Ready Checklists & Worksheets
You can work directly from the tables above, or download the structured workbook (multiple sheets: Checklist, Vendor Audit, License Clauses, Refund_Updates, Performance Risks):
Use it to compare vendors side-by-side and keep evidence links (screenshots, test clips).
9) How to Validate Claims After Purchase
- Follow the end-to-end testing flow in How to Evaluate, Test, and Maintain FiveM Scripts — spin up a Test City sandbox, capture baseline vs. resource metrics, and keep a changelog.
- If escrow blocks reasonable tuning, revisit your risk score and see FiveM Asset Escrow for safe workarounds.
Appendix A — Copy/Paste “Pre-Purchase Checklist” (compact)
- [ ] Vendor identity verified (legal name, country, VAT/reg no.) - [ ] Active support & SLA (<24h first response) - [ ] Public changelog; last update <60 days - [ ] Clear frameworks & artifact versions supported - [ ] License: commercial use allowed; instances clarified - [ ] License: modifications allowed (config + perf-critical areas) - [ ] Asset Escrow terms documented (editable files listed) - [ ] Refund window ≥7 days with objective criteria - [ ] Update policy defined (lifetime/major/minor), security patches guaranteed - [ ] No hidden telemetry; no remote code without signatures - [ ] Resmon avg <0.10 ms; p99 <0.50 ms - [ ] No DB N+1; indexes on FKs; timeouts handled - [ ] NUI input→paint <100 ms; no blocking loops - [ ] No heavy global handlers; no hot `while true` loops - [ ] TCO within 30% of best alternative
Appendix B — License Clause Review (fill-in)
| Clause | OK? | Notes | | --- | --- | --- | | Commercial use allowed | | | | Seats/instances clear | | | | Modifications allowed | | | | Asset Escrow scope clear | | | | Refund window & process | | | | Update policy & security patches | | | | Telemetry opt-in only | | | | Liability/Warranty stated | | | | Termination with cure period | | |
Ship it: Run the checklist, assign the risk score, and only proceed if it passes. If anything feels hand-wavy, it’s a no.
Bonus: Trusted Tebex Shops
