Safe Harbor Policy

  1. The purpose of this Safe Harbor Policy is to create a process that enables security research into our systems while preserving a regularized method of compensating security researchers for their efforts to improve our systems.
  2. We want you to responsibly disclose through our Vulnerability Disclosure Program, and don’t want researchers put in fear of legal consequences because of their good faith attempts to comply with our bug bounty policy. If in doubt, ask us before engaging in any specific action you think might go outside the bounds of our policy.
  3. Because both identifying and non-identifying information can put a researcher at risk, we limit what we share with third parties, as further described below. 
  4. If your security research as part of the bug bounty program violates certain restrictions in our site policies, the safe harbor terms permit a limited exemption.

 

1. Safe Harbor Terms

 
We consider vulnerability research conducted according to this policy to be:

  1. Exempt as authorized under any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy;
  2. Exempt as authorized under any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;
  3. Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP) that would interfere with conducting security research, and we waive those restrictions on a limited basis; Except:
    1. Where the use of services puts an excessive burden on the bandwidth of our services or compromises their performance;
  4. Lawful, helpful to the overall security of the internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

 

2. Third Party Safe Harbor

 
If you submit a report through our bug bounty program which affects a third party service, we will limit what we share with any affected third party. We may share non-identifying content from your report with an affected third party, but only after notifying you that we intend to do so and getting the third party’s written commitment that they will not pursue legal action against you or initiate contact with law enforcement based on your report.

 

Please note that we cannot authorize out-of-scope testing in the name of third parties, and such testing is beyond the scope of our policy. Refer to that third party’s bug bounty policy, if they have one, or contact the third party either directly or through a legal representative before initiating any testing on that third party’s systems or services. This is not, and should not be understood as, any agreement on our part to defend, indemnify, or otherwise protect you from any third party claim based on your actions.

 

That said, if legal action is initiated by a third party, including law enforcement, against you because of your participation in this bug bounty program, and you have complied with this Safe Harbor Policy and have not acted in bad faith, upon your written request, we will inform the third party that your actions were conducted in compliance with this Safe Harbor Policy.

 

3. Limited Waiver of Other Site Policies

 
If at any time you have concerns or are uncertain whether your security research is consistent with this Safe Harbor Policy, please submit a report in advance as set forth in the security text file located here.

 

Note that the Safe Harbor applies only to legal claims under our control; it does not bind independent third parties.