‘Short, broad, easily-understood safe harbor statement’ offered

Bug bounty platform HackerOne has overhauled its policy guidelines to enhance legal protections for ethical hackers acting in good faith

HackerOne has revamped its policy guidelines to offer better protection from legal problems for ethical hackers acting in good faith.

The Gold Standard Safe Harbor (GSSH) that customers who run bug bounty programs through HackerOne are asked to agree offers a “short, broad, easily-understood safe harbor statement that’s simple for customers to adopt”.

Both vulnerability disclosure programs and bug bounty programs routinely include safe harbor agreements that explain the legal protections that hackers can expect. These agreements can vary, but by asking its customers to agree to a standard policy, HackerOne is aiming to reduce the bureaucratic overhead for ethical hackers.

‘Reduces the burden’

“While many programs already include safe harbor in their policies, the GSSH is a short, broad, easily-understood safe harbor statement that’s simple for customers to adopt,” according to the crowdsourced security platform. “This standardization also reduces the burden on hackers for parsing numerous different program statements.”

Gold Standard Safe Harbor launched on Wednesday, November 16. Organizations committing to the GSSH will replace their existing safe harbor statement with the GSSH on their program page, which will be marked with a digital badge. Hackers will be able to filter searches for programs based on participation in the GSSH scheme.

KAYAK, GitLab Inc, and Yahoo are among the first customers to opt for the GSSH’s standardized language. The GSSH is available for adoption by HackerOne customers worldwide even though its language most closely aligns with recent US government cybersecurity policy updates, The Daily Swig understands.


Catch up with the latest bug bounty news and analysis


Preliminary findings from HackerOne’s upcoming Hacker Report appear to vindicate efforts to strengthen legal safeguards for hackers.

The report will reveal that more than half of hackers have not reported a vulnerability they have discovered, with 12% ascribing their decision not to disclose to threatening legal language being used by the organization whose code contained the bug. Another one in five (20%) said they declined to report the flaw because the organization had previously been difficult to work with.

The Gold Standard Safe Harbor aims to offer ethical hackers protections against such legal threats and liabilities – providing that they themselves are acting within the rules.

Such safeguards are needed even though understanding of and appreciation for the work of ethical hackers is growing in both business and government.

For example, the US Department of Justice recently revised its policy on charging cases under the Computer Fraud and Abuse Act (CFAA) to increase hacking protections.


YOU MAY ALSO LIKE US revises policy regarding Computer Fraud and Abuse Act, will not prosecute good faith research