Level 4: Full Safe Harbor
Explicit testing authorisation and carve-outs from CFAA / DMCA / TOS.
On this page
The meaningful legal leap. The organisation doesn’t just promise not to sue, it explicitly grants permission to test, and carves out exemptions from the specific laws that typically get researchers in trouble:
- Anti-hacking laws (CFAA, CMA, or equivalent)
- Anti-circumvention laws (DMCA, or equivalent)
- The organisation’s own Terms of Service / AUP
Scope, compensation, communication channels, and disclosure process are all clearly defined. A researcher can point to this policy as a legal defence. This is the gold standard for researcher protection.
What observers see
- Policy explicitly authorises security research conducted under the terms as “lawful” and “not an infringement”
- Specific waivers for CFAA / CMA / anti-hacking law applicability
- Specific waivers for DMCA / anti-circumvention law applicability
- Explicit TOS/AUP carve-out for security research activity
- Clear scope definition, clear communication channels, clear expectations on both sides
- Often includes third-party-threat language (“if legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known…”)
Researcher protection
Full, for testing. A researcher operating within scope, via the official channels, in good faith, has explicit written authorisation and can point to the policy as a defence in any challenge.
What’s still missing at Level 4: public accountability on disclosure timing. The organisation has invited research, but hasn’t committed to a public coordinated-disclosure timeline.
Path to Level 5
Add a proactive, public coordinated-disclosure timeline (typically 90 days) with a defined process for extensions. See practices/coordinated-disclosure.md for implementation guidance.