Skip to content
Branch: master
Find file History
beauwoods Update
Fix broken link for Simple Safe Harbor.
Latest commit a0d987f Sep 12, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
core-terms-CANADA Folder structure changes Aug 26, 2019
core-terms-GLOBAL Folder structure changes Aug 26, 2019
core-terms-USA Folder structure changes Aug 26, 2019
simple-safe-harbor Update Sep 11, 2019

Step 1: Terms

Core terms

If you're starting a new program, use the core-terms. These are a full disclosure template including safe harbor.

Choose your region, choose your language, and go.

Note the core requirements for safe harbor:

  • Authorization against anti-hacking laws
  • Exemption from anti-circumvention laws
  • Exemption from violation of the TOS/AUP during security testing
  • Statement of support and agreement.

The intention of the safe harbor language is for it to be followed specifically, with minor if any modifications.

Additional terms

In each template we've also provided boilerplate examples for the additional section. 

  • Scope (Required) – A complete list of "In-Scope" properties for which the organizational is explicitly allowing and encouraging good-faith security research, and optionally:
  • Out-of-Scope (Optional) - A non-exhaustive list of systems and security testing activities that the organization strongly wishes to discourage testing against, and
  • Rewards (Optional) – Information on whether or not compensation the program offers payment for valid, unique issues, as well as the type and parameters of that compensation.
  • Official Communication Channels (Required) – A full list of the communication methods that are made available by the organization to receive and communicate about vulnerability submissions.
  • Disclosure Policy (Required) – A clear policy outlining the conditions under which a researcher can disclose the details of a reported issue to third parties.

Simple Safe Harbor

If you already have a disclosure program, the Simple Safe Harbor terms may suffice. These terms were written to be even more generic a simple to understand than the core terms, whilst still maxmizing legal completeness.

Example disclosure types

  • Coordinated Disclosure: A researcher can share details of the vulnerability after a fix has been applied and the program owner has provided permission to disclose, OR after 90 days from submission, whichever is sooner,
  • Discretionary Disclosure: The researcher or the program owner can request mutual permission to share details of the vulnerability after approval is explicitly received, or
  • Non-Disclosure: Researchers are required to keep vulnerability details and the existence of the program itself confidential.
You can’t perform that action at this time.