On Thursday, the Department of Justice announced a revision to its longstanding charging policy for cyber-based crimes under the Computer Fraud and Abuse Act. The DOJ explained that, under the newly-revised policy, “good-faith security research should not be charged.” The Department continued
Good faith security research means accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.
Simply put, the Department will no longer bring federal charges against those who hack computer systems to identify security flaws so those same flaws can be fixed. The DOJ explained that these white hat hackers should not be prosecuted because “[c]omputer security research is a key driver of improved cybersecurity.”