Update safe-harbor-faq.md

jessiwright · jessiwright · commit 049c31e77b81 · 2022-10-26T13:27:45.000-04:00
diff --git a/docs/programs/safe-harbor-faq.md b/docs/programs/safe-harbor-faq.md
@@ -19,7 +19,7 @@ A “safe harbor” is a provision that offers protection from liability in cert
 
 HackerOne considers Good Faith Security Research to be accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services. Those engaged in Good Faith Security Research are sometimes called “bona fide” security researchers or “white hat” or “ethical” hackers.
 
-Security research not conducted in good faith is not covered by safe harbor. For example, research conducted for the purpose of extortion is not in good faith. To the extent possible, hackers should seek to clarify the status of conduct that is borderline or they think may be inconsistent with Good Faith Security Research or unaddressed in the program's policy before engaging in such conduct. If there is a disagreement over whether or not given research is in good faith, organizations and hackers should look to common security research good practices and can also consult an advisor with deep expertise in security research and vulnerability disclosure for additional perspective.
+Security research not conducted in good faith is not covered by safe harbor. For example, research conducted for the purpose of extortion is not in good faith. To the extent possible, hackers should seek to clarify the status of conduct that is borderline or they think may be inconsistent with Good Faith Security Research or unaddressed in the program's policy before engaging in such conduct. If there is a disagreement over whether or not given research is in good faith, organizations and hackers should look to common security research best practices.
 
 As of October 25, 2022, the GSSH, including the concept of Good Faith Security Research, is aligned with recent legal and regulatory developments and current best practices represented by (among others):
 
@@ -37,7 +37,7 @@ Safe harbor is a baseline requirement to engage with hackers in good faith. Outd
 
 A short, broad, easily-understood safe harbor statement provides ethical hackers with assurance and a binding commitment that they will not face legal risk merely for making valuable contributions to an organization’s security.
 
-Safe harbor is recommended by the U.S. Department of Justice in the [Framework for a Vulnerability Disclosure Program for Online Systems](https://www.justice.gov/criminal-ccips/page/file/983996/download) and the Cybersecurity and Infrastructure Security Agency (CISA) in the [Vulnerability Disclosure Policy Template](https://www.cisa.gov/vulnerability-disclosure-policy-template) for U.S. government agencies, championed by legal and infosec experts industry-wide in projects like the []#legalbugbounty standardization project](https://amitelazari.com/%23legalbugbounty-hof/f/legalbugbounty-standardization-project---adopt-a-safe-harbor) and [disclose.io](https://disclose.io/), and already provided by all top-tier security programs and generally most organizations running a vulnerability disclosure program. Examples of top-tier security programs across a variety of industries providing safe harbor include the [UK Ministry of Defence](https://www.gov.uk/guidance/report-a-vulnerability-on-an-mod-system), [General Motors](https://hackerone.com/gm?type=team), [Dropbox](https://hackerone.com/dropbox?type=team), [John Deere](https://hackerone.com/john-deere?type=team), and the [United States Postal Service](https://hackerone.com/usps?type=team).
+Safe harbor is recommended by the U.S. Department of Justice in the [Framework for a Vulnerability Disclosure Program for Online Systems](https://www.justice.gov/criminal-ccips/page/file/983996/download) and the Cybersecurity and Infrastructure Security Agency (CISA) in the [Vulnerability Disclosure Policy Template](https://www.cisa.gov/vulnerability-disclosure-policy-template) for U.S. government agencies, championed by legal and infosec experts industry-wide in projects like the []#legalbugbounty standardization project](https://amitelazari.com/%23legalbugbounty-hof/f/legalbugbounty-standardization-project---adopt-a-safe-harbor) and [disclose.io](https://disclose.io/), and already provided by all top-tier security programs and generally most organizations running a vulnerability disclosure program. Examples of top-tier security programs across a variety of industries providing safe harbor include the [UK Ministry of Defence](https://www.gov.uk/guidance/report-a-vulnerability-on-an-mod-system), [General Motors](https://hackerone.com/gm?type=team), [John Deere](https://hackerone.com/john-deere?type=team), and the [United States Postal Service](https://hackerone.com/usps?type=team).
 
 **Does safe harbor help protect organizations?**
 
@@ -57,7 +57,7 @@ Safe harbor is a baseline requirement to engage in good faith with the security
 
 **Is the adoption of the Gold Standard Safe Harbor statement a big change?**
 
-No. While the updated language reflects new guidance from regulators and industry experts on safe harbor and represents a renewed push to further standardize safe harbor for vulnerability disclosure programs, we believe that many programs already align with the updated gold standard. New programs will eventually default to HackerOne's Gold Standard Safe Harbor statement. Further, programs that appear to have outdated safe harbor statements will want to transition to the gold standard statement to ensure their safe harbor statement fulfills their intention.
+No. The updated language reflects new guidance from regulators and industry experts on Good Faith Security Research. It represents a renewed push to further standardize safe harbor for vulnerability disclosure programs, but we also believe that many programs' practices already align with the intention of the Gold Standard Safe Harbor.
 
 **What if we don’t want to adopt the Gold Standard Safe Harbor statement?**
 
