On May 19, 2022, the U.S. Department of Justice directed prosecutors to not charge security researchers who report cybersecurity vulnerabilities in “good faith” with violations of the federal Computer Fraud and Abuse Act (CFAA).
The DOJ’s press release titled Department of Justice Announces New Policy for Charging Cases under the Computer Fraud and Abuse Act specifically states:
The policy for the first time directs that good-faith security research should not be charged. Good faith security research means accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.
“Computer security research is a key driver of improved cybersecurity,” said Deputy Attorney General Lisa O. Monaco. “The department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.”
For those using “but I’m a security researcher” as a pretext for extortion, however, this is not a free pass:
However, the new policy acknowledges that claiming to be conducting security research is not a free pass for those acting in bad faith. For example, discovering vulnerabilities in devices in order to extort their owners, even if claimed as “research,” is not in good faith. The policy advises prosecutors to consult with the Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS) about specific applications of this factor.
have written about the CFAA on this blog for many years and I think this is a positive development but the devil always lies in the details and that comes down to how to do you establish that you’re really acting in good faith doing research. The other issue security researchers still need to be concerned with is that most states have state law companions to the CFAA that, many times, can be more expansive than the CFAA. For an example of how the CFAA and Texas Breach of Computer Security / Harmful Access to Computers Act compare, see Guide to Computer Hacking Laws in Texas: Federal Computer Fraud and Abuse Act and Texas Computer Crimes Laws.