Safe Harbor Policy
Overview
BlancVPN provides safe harbor for security researchers who act in good faith and comply with our Bug Bounty Program policy. We believe in encouraging responsible security research and want researchers to feel confident that their good-faith efforts to help us improve security will be met with appreciation, not legal action.
Legal Safe Harbor
When conducting vulnerability research according to our Bug Bounty Program policy, we consider this research to be:
Authorized Conduct
Your research is authorized in view of any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of our policy.
Authorized Circumvention
Your research is authorized in view of relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls.
Exempt from Usage Restrictions
Your research is exempt from restrictions in our Acceptable Usage Policy that would interfere with conducting security research, and we waive those restrictions on a limited basis for the purposes of good-faith security research.
Lawful and Beneficial
We consider good-faith security research to be lawful, helpful to the overall security of the internet, and conducted with positive intent.
What You Can Expect From Us
When you work with us according to our Bug Bounty Program policy, you can expect us to:
Provide Safe Harbor
We will extend safe harbor for your vulnerability research as long as it's related to our policy and conducted in good faith.
Respond Promptly
We will acknowledge your report within 5 business days and work with you to understand and validate your findings.
Remediate Issues
We will work to remediate discovered vulnerabilities in a timely manner.
Recognize Contributions
We will recognize your contribution to improving our security (with your permission) if you are the first to report a unique vulnerability and your report triggers a code or configuration change.
Not Pursue Legal Action
We will not recommend or pursue legal action against you for actions related to your research, provided you comply with our policy.
Maintain Confidentiality
We will not disclose your identity or contact information without your explicit permission.
Protection Against Third-Party Legal Action
You are expected to comply with all applicable laws at all times. However, if legal action is initiated by a third party against you for security research conducted in accordance with our Bug Bounty Program policy, we will:
Take steps to make it known that your actions were conducted in compliance with our policy
Support your defense by providing documentation of our authorization
Work with you and, if appropriate, with the third party to resolve the matter
This protection applies only to research conducted in good faith and in full compliance with our Bug Bounty Program policy.
What We Expect From You
To maintain safe harbor protections, you must:
Follow Our Policy
Comply fully with all requirements in our Bug Bounty Program policy, including scope limitations, prohibited actions, and disclosure timelines.
Act in Good Faith
Conduct research with the genuine intent to improve BlancVPN's security, not to harm our systems, users, or business.
Avoid Harm
Do not access, modify, or delete data beyond what's necessary to demonstrate a vulnerability. Stop testing immediately upon discovering user data or a vulnerability.
Communicate Properly
Use only official channels to discuss vulnerabilities and respond to our communications in a timely manner.
Respect Confidentiality
Keep vulnerability details confidential until we've had time to remediate and have provided authorization for disclosure.
Be Honest
Provide accurate, complete information in your reports and don't misrepresent your findings or actions.
When Safe Harbor Does Not Apply
Safe harbor protections do NOT apply if you:
Test systems or use methods explicitly excluded from our Bug Bounty Program scope
Violate our Ground Rules or prohibited actions
Access, retain, or share user data beyond what's necessary for proof of concept
Publicly disclose vulnerabilities before authorization
Engage in extortion or threaten public disclosure for reward
Conduct research with malicious intent or to harm BlancVPN or its users
Violate applicable laws beyond the scope of authorized security research
Fail to cease testing upon discovery of user data or vulnerabilities
Misrepresent your actions or findings
Uncertainty and Questions
If at any time you have concerns or are uncertain whether your security research is consistent with this policy:
Stop and Ask First
Cease your research activities and contact us at [email protected] before proceeding further.
Seek Clarification
We're happy to answer questions about whether specific test methods or approaches are acceptable under our policy.
Better Safe Than Sorry
It's always better to ask for clarification than to proceed with research that might not be covered by safe harbor.
Scope of Safe Harbor
This safe harbor policy applies specifically to security research conducted under our Bug Bounty Program. It does not provide protection for:
Activities unrelated to security research
Malicious actions or attacks against BlancVPN systems
Violations of laws unrelated to authorized security research
Actions taken outside the scope of our Bug Bounty Program
Governing Terms
This Safe Harbor Policy is part of our Bug Bounty Program and should be read in conjunction with the main Bug Bounty Program policy. In case of any conflict between this document and the main policy, both should be interpreted together to provide maximum protection for good-faith security researchers.
Updates and Changes
We may update this Safe Harbor Policy from time to time. Continued participation in our Bug Bounty Program after changes constitutes acceptance of the updated policy.
We appreciate security researchers who help make BlancVPN safer for everyone. This safe harbor policy reflects our commitment to working collaboratively with the security community.