Safe Harbor Terms

Good-Faith Protection

Participating organizations agree not to pursue legal action for good-faith research that complies with published scope, methods, and responsible disclosure requirements.

Conditions for Protection

Stay in scope

Testing must be limited to explicitly authorized assets and permitted methods.

Minimize harm

Researchers should avoid data destruction, service disruption, social engineering, and access beyond what is needed for verification.

Exclusions

Safe harbor does not apply to out-of-scope testing, malicious intent, extortion, privacy abuse, or any activity prohibited by applicable law.

Coordinated Communication

Use Harbor channels for all report communication and status updates so both parties can maintain a complete and auditable disclosure timeline.

Policy Changes

Programs may update scope and policy terms over time. Researchers are responsible for reviewing the latest terms before testing.