Step 1: Terms
If you're starting a new program, use the core-terms. These are a full disclosure template including safe harbor.
Choose your region, choose your language, and go.
Note the core requirements for safe harbor:
- Authorization against anti-hacking laws
- Exemption from anti-circumvention laws
- Exemption from violation of the TOS/AUP during security testing
- Statement of support and agreement.
The intention of the safe harbor language is for it to be followed specifically, with minor if any modifications.
In each template we've also provided boilerplate examples for the additional section.
- Scope (Required) – A complete list of "In-Scope" properties for which the organizational is explicitly allowing and encouraging good-faith security research, and optionally:
- Out-of-Scope (Optional) - A non-exhaustive list of systems and security testing activities that the organization strongly wishes to discourage testing against, and
- Rewards (Optional) – Information on whether or not compensation the program offers payment for valid, unique issues, as well as the type and parameters of that compensation.
- Official Communication Channels (Required) – A full list of the communication methods that are made available by the organization to receive and communicate about vulnerability submissions.
- Disclosure Policy (Required) – A clear policy outlining the conditions under which a researcher can disclose the details of a reported issue to third parties.
Simple Safe Harbor
If you already have a disclosure program, the Simple Safe Harbor terms may suffice. These terms were written to be even more generic a simple to understand than the core terms, whilst still maxmizing legal completeness.
Example disclosure types
- Coordinated Disclosure: A researcher can share details of the vulnerability after a fix has been applied and the program owner has provided permission to disclose, OR after 90 days from submission, whichever is sooner,
- Discretionary Disclosure: The researcher or the program owner can request mutual permission to share details of the vulnerability after approval is explicitly received, or
- Non-Disclosure: Researchers are required to keep vulnerability details and the existence of the program itself confidential.