Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Safe Harbor and severity based metric #3

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Safe Harbor and severity based metric #3

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
9fa8c40
Update Bug_bounty_metrics.md
ykosaraju Jul 9, 2024
5f3fc60
Create safe-harbour.md
ykosaraju Jul 9, 2024
a58eb59
Update and rename safe-harbour.md to safe-harbor.md
ykosaraju Jul 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions bug-bounty/v1/Bug_bounty_metrics.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,3 +28,6 @@ By charting and measuring specific vulnerability classifications, you gain signa
This information can then be provided to your product security and engineering teams to tackle common issues strategically and proactively.

Metrics version 1.0 copied from [Sectemplates.com](https://www.sectemplates.com)

## Volume based on severity
This helps determine the severity of submissions you are getting. As you mature your program, you can try different things to try and increase the P0/P1 submissions.
22 changes: 22 additions & 0 deletions bug-bounty/v1/safe-harbor.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
# Safe Harbor Policy

## What is safe harbor?
A “safe harbor” is a provision that offers protection from liability in certain situations, usually when certain conditions are met. In the context of security research and vulnerability disclosure, it is a statement from an organization that hackers engaged in Good Faith Security Research and ethical disclosure are authorized to conduct such activity and will not be subject to legal action from that organization.

## Why do you need safe harbor?

There are instances where companies have taken legal actions against security researchers when they have reported vulnerabilities. Having a safe harbor policy in place assures researchers about your intent to work with them in good faith.

Bug bounty platforms will bring this up in your initial conversations as well.

## Sample Safe Harbor

When conducting vulnerability research according to this policy, we consider this research to be:

* Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
* Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
* Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
Lawful, helpful to the overall security of the Internet, and conducted in good faith.
* You are expected, as always, to comply with all applicable laws.
* If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via [email protected] before going any further.