The Justice Department doesn’t want security researchers facing federal charges when they expose security flaws. The department has revised its policy to indicate that researchers, ethical hackers and other well-intentioned people won’t be charged under the Computer Fraud and Abuse Act if they’re investigating, testing or fixing vulnerabilities in “good faith.” You’re safe as long as you aren’t hurting others and use the knowledge to bolster the security of a product, the DOJ said.
The government made clear that bad actors couldn’t use research as a “free pass.” They’ll still face trouble if they use newly-discovered security holes for extortion or other malicious purposes, regardless of what they claim.
This revised policy is limited to federal prosecutors, and won’t spare researchers from state-level charges. It does provide “clarity” that was missing in the earlier 2014 guidelines, though, and might help courts that weren’t sure of how to handle ethical hacking cases.
It’s also a not-so-subtle message to officials who might abuse the threat of criminal charges to silence critics. In October 2021, for instance, Missouri Governor Mike Parson threatened a reporter with prosecution for pointing out a website flaw that required no hacking whatsoever. The DOJ’s new policy might not completely deter threats like Parson’s, but it could make their words relatively harmless.