Safe Harbor Policy Guidance
Draft enforceable safe-harbor commitments covering researcher intent, legal protections, and escalation paths.
Safe Harbor Policy Guidance
Establishing safe-harbor language is the foundation of responsible disclosure. NidFul’s templates take direct inspiration from NidFul's legal playbook while accounting for African regulatory nuance.
Core Commitments
Your policy should cover three pillars:
- Intent – “We consider vulnerability research conducted in good faith to be authorized.” Reference your jurisdiction’s cybercrime act for additional clarity.
- Scope – List in-scope systems, authentication requirements, and prohibited actions (e.g., data destruction, service disruption).
- Protection – Promise not to pursue legal action or law-enforcement referrals when the policy is followed.
Include a plain-language summary before the full legal text so researchers can quickly assess the guardrails.
Sample Clause
If you make a good-faith effort to comply with this policy, we will: (i) deem your research authorized, (ii) work with you to understand and remediate the issue quickly, and (iii) not initiate a complaint with law enforcement or pursue legal action related to your research.
Adapt the clause to match your country’s terminology (e.g., Kenya Computer Misuse and Cybercrimes Act, South Africa Cybercrimes Act).
Regional Considerations
- Nigeria (NDPR) – Clarify how personal data should be handled and require encrypted submission of sensitive payloads.
- South Africa (POPIA) – Emphasize confidentiality obligations and timelines for deleting researcher-provided personal data.
- Francophone markets – Offer a French-language summary if you invite researchers from WAEMU countries.
Align with regulators
Share your draft policy with sector regulators (e.g., NCC, ODPC, SARB) before launching. This mirrors NidFul's approach for highly regulated customers and builds trust early.
Escalation Path
- Provide a dedicated legal contact (e.g.,
legal@nidful.com) alongside security channels. - Commit to acknowledging reports within 24 hours and to sharing remediation status within five business days.
- Document the process for handling accidental data access, including how to return or delete evidence.
Publishing & Versioning
- Host the policy on a stable URL (
https://nidful.com/policy/vdp) and track revisions with semantic versioning (v1.3.0). - Announce updates via NidFul’s notification broadcasts so researchers know when scope or expectations change.
- Store prior versions in your governance repository for audit purposes.
Related Resources
- Use Policy & Communication Templates for ready-to-edit documents and notification macros.
- Coordinate payouts and escalations with Organization Setup & Access Control.
- Communicate expectations to researchers with the Community Code of Conduct.