The Department of Justice does not want security researchers to face federal charges when they expose security flaws. The department has revised its policy to state that researchers, ethical hackers and other well-meaning individuals will not be charged under the Computer Fraud and Abuse Act for investigating, testing or resolving vulnerabilities in good faith. You’re safe as long as you don’t hurt others and use the knowledge to reinforce a product’s safety, the DOJ said.
The government made it clear that bad actors could not use research as a ‘free ticket’. They will still face problems if they use newly discovered vulnerabilities for extortion or other malicious purposes, no matter what they claim.
This revised policy is limited to federal prosecutors and will not spare investigators from state-level charges. However, it provides “clarity” that was missing from the earlier 2014 guidelines, and could help courts unsure of how to handle ethical hacking cases.
It’s also a not-so-subtle message to officials who could abuse the threat of criminal charges to silence critics. For example, in October 2021, Missouri Governor Mike Parson threatened to sue a reporter for pointing out a website flaw that didn’t require any hacking. The DOJ’s new policy may not completely deter threats like Parson’s, but it could make their words relatively harmless.
All products recommended by Engadget have been selected by our editorial team, independent of our parent company. Some of our stories contain affiliate links. If you buy something through one of these links, we may earn an affiliate commission.