This section gives details about what a researcher should specifically never do when finding vulnerabilities in the program. It is a notification paragraph, stating that while the disclosure of vulnerabilities is highly appreciated, there are certain things that the researchers should not do, such as:

• Disclose any vulnerabilities or suspected vulnerabilities discovered to any other person
• Disclose the contents of any submission to the program
• Access private information of any person stored on a program's product
• Access sensitive information
• Perform actions that may negatively affect the program's users
• Conduct any kind of physical attack on the organization's personnel, property, or data centers
• Socially engineer any employee or contractor
• Conduct vulnerability testing of participating services using anything other than test accounts
• Violate any laws or breach any agreements in order to discover vulnerabilities