Level 3 — Partial Safe Harbor

A commitment not to pursue legal action. Report safely; test uncertainly.

Source: disclose/dioterms License: CC0-1.0 Replace [bracketed] values with your own.

On this page

The policy makes a promise not to pursue legal action against researchers acting in good faith. The key word is promissory — language like “we will not pursue” or “we will not take legal action.” This is where researcher protection begins. However, it stops short of explicitly authorising testing — think of it as “you’re safe to report” rather than “you’re safe to test.” The protection is real but incomplete.

What observers see

  • Policy language that commits the organisation to non-pursuit for good-faith research
  • Often phrased as “we will not initiate legal action” or “we waive claims against”
  • Scope of the promise is sometimes narrow — only reports through the official channel, only current policy adherents, etc.
  • Testing itself is NOT explicitly authorised

Researcher protection

Partial. If a researcher reports responsibly and the organisation honors its word, the researcher is protected from action by this organisation. But:

  • Third parties (platforms, law enforcement) are not bound
  • Anti-circumvention laws (DMCA) still apply
  • TOS/AUP violations remain open for action
  • The protection often requires the researcher to already have adhered to the policy — a chicken-and-egg problem if testing itself is the question

Path to Level 4

Upgrade the Safe Harbor section to explicitly authorise security testing, and carve out specific exemptions from anti-hacking laws (CFAA, CMA), anti-circumvention laws (DMCA), and the organisation’s own TOS/AUP. See terms/core-vdp.md Safe Harbor section for canonical language.