← CRA Glossary
CRA Regulatory

Safe Harbour Clause

A safe harbour clause in a vulnerability disclosure policy is a written commitment by a manufacturer that it will not pursue legal action against security researchers who discover and report vulnerabilities in good faith, within defined scope and conduct parameters. The CRA's mandatory CVD policy requirement implicitly demands meaningful safe harbour protection.

A safe harbour clause in a vulnerability disclosure policy is a written commitment by a manufacturer that it will not pursue legal action against security researchers who discover and report vulnerabilities in good faith, within defined scope and conduct parameters. The CRA's mandatory CVD policy requirement implicitly demands meaningful safe harbour protection.

CRA Regulatory
Free CVD portal →

What Is a Safe Harbour Clause?

A safe harbour clause (also called a legal safe harbour or good-faith protection clause) is a provision in a manufacturer's vulnerability disclosure policy that explicitly states the manufacturer will not take legal action against security researchers who discover and report vulnerabilities, provided they act within the stated scope and follow responsible disclosure principles. Without such a clause, researchers risk legal exposure under laws such as the Computer Misuse Act (UK), the CFAA (US), or equivalent national computer crime laws in EU member states — even for entirely benign, authorised-seeming security research. The safe harbour removes this deterrent, encouraging researchers to report vulnerabilities to the manufacturer rather than publishing them publicly or selling them on vulnerability markets.

CRA reference:Article 13(6)

Why Safe Harbour Matters for CRA Compliance

The CRA requires manufacturers to establish a coordinated vulnerability disclosure policy that actively enables security researchers and users to report vulnerabilities. A CVD policy that lacks a meaningful safe harbour clause is effectively hollow — researchers who cannot trust they will not be prosecuted will not report, and the manufacturer's policy becomes a compliance formality rather than a functional security mechanism. ENISA's CVD Good Practice Guide, which regulators treat as a reference for CRA compliance, specifically recommends including a safe harbour statement in all CVD policies. Market surveillance authorities assessing CVD policy quality are likely to consider the absence of a safe harbour as a significant deficiency indicating the policy is not genuinely intended to receive researcher reports.

CRA reference:Article 13(6), Recital 63

What a Good Safe Harbour Clause Covers

An effective safe harbour clause should clearly address:

  • Scope of protection: Which products and services are covered by the policy and therefore eligible for safe harbour protection.
  • Authorised conduct: What actions are considered good-faith research — typically access limited to what is necessary to confirm and document the vulnerability, with no exploitation beyond demonstration, no data exfiltration, no denial-of-service.
  • Non-retaliation commitment: An explicit statement that the manufacturer will not initiate civil or criminal legal proceedings against researchers who comply with the policy terms.
  • Coordination expectations: The researcher's obligations — private disclosure to the manufacturer, a defined coordination period before public disclosure.
  • Scope exclusions: Clear statement of what is out of scope (e.g., social engineering, physical attacks, third-party systems).

Limitations and Practical Considerations

Manufacturers should understand the boundaries of what a safe harbour clause can provide. A manufacturer's safe harbour applies to the manufacturer's own legal claims — it does not prevent third parties (such as customers whose data a researcher accessed) from bringing claims, nor does it preclude prosecution by law enforcement if the researcher's conduct violates criminal law. Safe harbour clauses are therefore strongest when research is strictly non-destructive, minimally invasive, and limited to the manufacturer's own systems and products. Manufacturers should ensure their legal team reviews the safe harbour language to ensure it is enforceable under applicable national law, as enforceability varies across EU member states. The security.txt standard includes a specific field for linking to the safe harbour policy, making it discoverable by researchers.

CVD Portal makes Safe Harbour Clause compliance straightforward.

Public CVD submission portal, acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever for EU manufacturers.

Start your free portal

Frequently asked

Is a safe harbour clause legally binding on the manufacturer?+

A safe harbour clause creates a contractual-style commitment by the manufacturer not to pursue legal action against qualifying researchers. In most EU jurisdictions, a clearly written and published safe harbour policy creates a legitimate expectation that the manufacturer will honour. However, its enforceability as a strict legal contract varies by jurisdiction and the specific drafting. Manufacturers should treat it as a firm commitment — reneging on a published safe harbour policy would severely damage researcher trust and may attract regulatory attention.

Can a safe harbour clause protect a researcher from criminal prosecution?+

No. A manufacturer's safe harbour applies only to the manufacturer's own legal claims. It cannot prevent law enforcement from prosecuting a researcher under national computer crime law, even if the manufacturer has no objection to the research. In practice, good-faith research conducted in compliance with a published safe harbour policy significantly reduces the likelihood of prosecution, as prosecutors typically weigh the manufacturer's cooperation and the researcher's intentions. However, researchers should understand that legal protection is not absolute.

Where should a manufacturer publish its safe harbour clause?+

The safe harbour should be part of the main vulnerability disclosure policy document, typically accessible from the manufacturer's security page. It should also be referenced in the security.txt file using the 'Policy' field, pointing to the full policy document. For maximum discoverability, include a brief summary safe harbour statement on the security contact page itself, so researchers see it before engaging. The clause should be in plain language — legal boilerplate that is difficult to understand defeats its purpose.

Related terms

CVD PolicyA CVD policy is a publicly published document that defines how a manufacturer receives, processes, and responds to vulnerability reports. The EU Cyber Resilience Act requires manufacturers to publish a CVD policy as part of their vulnerability handling obligations.Coordinated Vulnerability Disclosure (CVD)CVD is the process by which a security researcher privately reports a vulnerability to the affected vendor, who then develops and releases a fix before the vulnerability is made public. Under the EU Cyber Resilience Act, manufacturers of products with digital elements are legally required to establish a CVD process.security.txtsecurity.txt is a standardised plain-text file placed at `/.well-known/security.txt` on a web domain that tells security researchers how to report vulnerabilities. Defined in RFC 9116, it is the recommended machine-readable disclosure of a manufacturer's CVD contact and policy.Responsible DisclosureResponsible disclosure is the practice of privately notifying a vendor of a security vulnerability before making it public, giving the vendor time to develop and release a fix. It is an older term that is largely synonymous with coordinated vulnerability disclosure (CVD), which is now the preferred terminology in EU regulatory frameworks.

CRA articles using this term

Article 13Coordinated Vulnerability Disclosure Obligations for Manufacturers

Browse the full CRA Compliance Checklist

See how Safe Harbour Clause fits into your complete CRA compliance programme.

View checklists →