Security Policy Safe Harbor

feedbackhax

As discussed on discord, Kagi is allowing ethical hackers to test their systems.
Apparently Kagi also offers bounties.

This should be formally written down.

The most important part IMO is that you make clear that ethical hacking is allowed.
This is typically called safe harbor.

I would say this is a good example:
https://docs.github.com/en/site-policy/security-policies/github-bug-bounty-program-legal-safe-harbor#1-safe-harbor-terms
But ofc you have to adapt it to your needs and talk with your lawyer, I assume.

This policy should then be linked in your security.txt (kagi.com/.well-known/security.txt.

Thanks 🙂

warpspin

They might want to specifically mention that resource attacks like DoS attacks are not in the scope of the safe harbour. It might not be a huge problem for github but will be for a smaller service like Kagi. Plus some idiot WILL claim DoS is OK otherwise ;-)

https://docs.tosdr.org/sp/Security-Vulnerability-Safe-Harbor.125926922.html is a good example for that.

David

Hi @feedbackhax, @warpspin. We have a pull request ready in our documentation repository adding the Bug Bounty Legal Safe Harbor page and a small section in the Security page talking about Kagi's Bug Bounty Program. We would appreciate any feedback to improve it.

https://github.com/kagisearch/kagi-docs/pull/249

CC: @Vlad

warpspin

I'm not a specialist in US law, but the rest looks good to me

feedbackhax

@Vlad the policy is not yet linked in the security.txt