Skip to content

Latest commit

 

History

History
 
 

terms

Folders and files

NameName
Last commit message
Last commit date

parent directory

..

core-terms-CANADA

core-terms-CANADA

 
 

core-terms-GLOBAL

core-terms-GLOBAL

 
 

core-terms-USA-ELECTIONS

core-terms-USA-ELECTIONS

 
 

core-terms-USA

core-terms-USA

 
 

simple-safe-harbor

simple-safe-harbor

 
 

README.md

README.md

 
 

README.md

Step 1: Terms

Core terms

If you're starting a new program, use the core-terms. These are a full disclosure template including safe harbor.

Choose your region, choose your language, and go.

Note the core requirements for safe harbor:

  • Authorization against anti-hacking laws
  • Exemption from anti-circumvention laws
  • Exemption from violation of the TOS/AUP during security testing
  • Statement of support and agreement.

The intention of the safe harbor language is for it to be followed specifically, with minor, if any, modifications.

Additional terms

In each template we've also provided boilerplate examples for the additional section. 


  • Scope (Required) – A complete list of "In-Scope" properties for which the organization is explicitly allowing and encouraging good-faith security research, and optionally:
  • Out-of-Scope (Optional) - A non-exhaustive list of systems and security testing activities that the organization strongly wishes to discourage testing against, and
  • Rewards (Optional) – Information on whether or not the program offers payment for valid, unique issues, as well as the type and parameters of that compensation.
  • Official Communication Channels (Required) – A full list of the communication methods that are made available by the organization to receive and communicate about vulnerability submissions.
  • Disclosure Policy (Required) – A clear policy outlining the conditions under which a researcher can disclose the details of a reported issue to third parties.

Simple Safe Harbor

If you already have a disclosure program, the Simple Safe Harbor terms may suffice. These terms were written to be even more generic and simple to understand than the core terms, whilst still maxmizing legal completeness.

Example disclosure types

  • Coordinated Disclosure: A researcher can share details of the vulnerability after a fix has been applied and the program owner has provided permission to disclose, OR after 90 days from submission, whichever is sooner;
  • Discretionary Disclosure: The researcher or the program owner can request mutual permission to share details of the vulnerability after approval is explicitly received; or
  • Non-Disclosure: Researchers are required to keep vulnerability details and the existence of the program itself confidential.