Level 3: Partial Safe Harbor

A commitment not to pursue legal action. Report safely; test uncertainly.

Source: disclose/dioterms License: CC0-1.0 Replace [bracketed] values with your own.

The policy makes a promise not to pursue legal action against researchers acting in good faith. The key word is promissory, language like “we will not pursue” or “we will not take legal action.” This is where researcher protection begins. However, it stops short of explicitly authorising testing, think of it as “you’re safe to report” rather than “you’re safe to test.” The protection is real but incomplete.

What observers see

  • Policy language that commits the organisation to non-pursuit for good-faith research
  • Often phrased as “we will not initiate legal action” or “we waive claims against”
  • Scope of the promise is sometimes narrow, only reports through the official channel, only current policy adherents, etc.
  • Testing itself is NOT explicitly authorised

Researcher protection

Partial. If a researcher reports responsibly and the organisation honors its word, the researcher is protected from action by this organisation. But:

  • Third parties (platforms, law enforcement) are not bound
  • Anti-circumvention laws (DMCA) still apply
  • TOS/AUP violations remain open for action
  • The protection often requires the researcher to already have adhered to the policy, a chicken-and-egg problem if testing itself is the question

Path to Level 4

Upgrade the Safe Harbor section to explicitly authorise security testing, and carve out specific exemptions from anti-hacking laws (CFAA, CMA), anti-circumvention laws (DMCA), and the organisation’s own TOS/AUP. See terms/core-vdp.md Safe Harbor section for canonical language.