Update safe-harbor-faq.md

jessiwright · jessiwright · commit 3cf059f0fdb4 · 2022-10-25T09:52:54.000-04:00
diff --git a/docs/programs/safe-harbor-faq.md b/docs/programs/safe-harbor-faq.md
@@ -3,9 +3,9 @@ title: "Safe Harbor FAQ"
 path: "/programs/safe-harbor-faq.html"
 id: "programs/safe-harbor-faq"
 ---
-Good faith security research empowers us all to build a safer internet, and those who ethically disclose the vulnerabilities they find and the organizations that responsibly act upon their research should do so without threat of legal action or regulatory sanction.
+Good Faith security research empowers us all to build a safer internet, and those who ethically disclose the vulnerabilities they find and the organizations that responsibly act upon their research should do so without threat of legal action or regulatory sanction.
 
-Unfortunately, many existing anti-hacking laws are outdated and overly broad, raising the possibility that even good faith security researchers engaging in ethical vulnerability disclosure could face legal liability. Further, uncertainty exists about what exactly constitutes a reportable “data breach” under some privacy laws.
+Unfortunately, many existing anti-hacking laws are outdated and overly broad, raising the possibility that even Good Faith Security Researchers engaging in ethical vulnerability disclosure could face legal liability. Further, uncertainty exists about what exactly constitutes a reportable “data breach” under some privacy laws.
 
 This lack of clarity in the law makes it essential that any organization engaging the hacker community makes a clear, unambiguous statement that it considers Good Faith Security Research (see definition below) to be authorized activity that is protected from legal action by them. A comprehensive statement authorizing Good Faith Security Research may also help differentiate independent validation from data breach under many privacy laws. This type of statement is often referred to as “safe harbor.”
 
@@ -19,7 +19,7 @@ A “safe harbor” is a provision that offers protection from liability in cert
 
 HackerOne considers Good Faith Security Research to be accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services. Those engaged in Good Faith Security Research are sometimes called “bona fide” security researchers or “white hat” or “ethical” hackers.
 
-Security research not conducted in good faith is not covered by safe harbor. For example, research conducted for the purpose of extortion is not in good faith. To the extent possible, hackers should seek to clarify the status of conduct that is borderline or they think may be inconsistent with good faith security research before engaging in such conduct. If there is a disagreement over whether or not given research is in good faith, organizations and hackers should look to common security research good practices and can also consult an advisor with deep expertise in security research and vulnerability disclosure for additional perspective.
+Security research not conducted in good faith is not covered by safe harbor. For example, research conducted for the purpose of extortion is not in good faith. To the extent possible, hackers should seek to clarify the status of conduct that is borderline or they think may be inconsistent with Good Faith Security Research before engaging in such conduct. If there is a disagreement over whether or not given research is in good faith, organizations and hackers should look to common security research good practices and can also consult an advisor with deep expertise in security research and vulnerability disclosure for additional perspective.
 
 As of October 25, 2022, the GSSH, including the concept of Good Faith Security Research, is aligned with recent legal and regulatory developments and current best practices represented by (among others):
 
@@ -47,7 +47,7 @@ Yes! In addition to the general benefits from creating a more solid foundation f
 
 First, safe harbor should apply by default to all Good Faith Security Research ethically disclosed to an organization. Tying safe harbor to acceptance of certain terms or policies (often at the time of vulnerability submission) can lead to uncertainty about the status of Good Faith Security Research undertaken prior to the submission of a vulnerability report. Influenced by guidance from the U.S. Department of Justice and other regulators, multinational organizations, and industry partners, a leading-edge safe harbor statement should unambiguously protect Good Faith Security Research, whenever such conditions are met.
 
-Second, whether or not a particular action is inconsistent with Good Faith Security Research should not be unilaterally determined by an organization. Good faith security research is a standard that should be applied as consistently as possible, and a hacker or an organization’s initial instinct about a particular action may not accurately reflect the standard. Organizations and hackers should seek to mutually agree on whether a particular action constitutes Good Faith Security Research. If the two parties are unable to agree, they should look to best practices.
+Second, whether or not a particular action is inconsistent with Good Faith Security Research should not be unilaterally determined by an organization. Good Faith Security Research is a standard that should be applied as consistently as possible, and a hacker or an organization’s initial instinct about a particular action may not accurately reflect the standard. Organizations and hackers should seek to mutually agree on whether a particular action constitutes Good Faith Security Research. If the two parties are unable to agree, they should look to best practices.
 
 Finally, safe harbor may not be removed retroactively. Once safe harbor applies to a particular instance of Good Faith Security Research, there should not be a threat that it might be removed if there is later a disagreement between the hacker and the organization. Obviously, this does not apply if there is clear evidence of bad faith activity--though, in that case, safe harbor would not have been applicable.
 
