clear language that testing within the policy is "authorized" 2. **CFAA/CMA reference** — explicit statement that the program considers compliant testing as authorized under relevant computer crime laws 3. **Third-party protection** — commitment to defend you if a third party (e.g., a hosting provid