Level 4 — Full Safe Harbor

The meaningful legal leap. The organisation doesn’t just promise not to sue — it explicitly grants permission to test, and carves out exemptions from the specific laws that typically get researchers in trouble:

• Anti-hacking laws (CFAA, CMA, or equivalent)
• Anti-circumvention laws (DMCA, or equivalent)
• The organisation’s own Terms of Service / AUP

Scope, compensation, communication channels, and disclosure process are all clearly defined. A researcher can point to this policy as a legal defence. This is the gold standard for researcher protection.

What observers see

• Policy explicitly authorises security research conducted under the terms as “lawful” and “not an infringement”
• Specific waivers for CFAA / CMA / anti-hacking law applicability
• Specific waivers for DMCA / anti-circumvention law applicability
• Explicit TOS/AUP carve-out for security research activity
• Clear scope definition, clear communication channels, clear expectations on both sides
• Often includes third-party-threat language (“if legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known…”)

Researcher protection

Full — for testing. A researcher operating within scope, via the official channels, in good faith, has explicit written authorisation and can point to the policy as a defence in any challenge.

What’s still missing at Level 4: public accountability on disclosure timing. The organisation has invited research, but hasn’t committed to a public coordinated-disclosure timeline.

Path to Level 5

Add a proactive, public coordinated-disclosure timeline (typically 90 days) with a defined process for extensions. See practices/coordinated-disclosure.md for implementation guidance.