The guidance defines good faith to mean research aimed primarily at improving the safety of sites, programs or devices, as opposed to exploration aimed at demanding money in exchange for withholding disclosure or exploitation of a security flaw.
Companies can still sue those who claim to be acting in good faith, and officials could continue to charge hackers under state laws that often echo the CFAA. But most state prosecutors tend to follow federal guidance when their laws are similar.
Well-intentioned hackers in the past were routinely silenced by legal threats. Even in recent years, civil suits and criminal referrals have been used to cancel public talks on dangerous vulnerabilities or cast doubt on research findings.
In 2019, a mobile voting company, Voatz, referred to the FBI a Michigan college student who was researching its app for a course. Twenty years ago, a former employee of email provider Tornado Development served more than a year in prison on federal CFAA charges after the company refused to fix security flaws and he emailed their customers about it.
In a case that drew national attention in October, the governor of Missouri threatened hacking charges against a local newspaper that examined the publicly available source code of a government website and then warned the state that it was exposing the Social Security numbers of 100,000 educators.
The Justice Department did not respond to a question about what prompted the new policy.
But security work has become more obviously vital to corporate and even national security, and the professionalization has spawned billion-dollar businesses. Many companies now pay bug bounties to researchers who find flaws and report them directly or through programs managed by outside companies like Bugcrowd and HackerOne, which hailed the new U.S. policy.
“For well over a decade now, cybersecurity leaders have recognized the critical role of hackers as the Internet’s immune system,” HackerOne founder Alex Rice said via email. “We enthusiastically applaud the Department of Justice for codifying what we’ve long known to be true: Good faith security research is not a crime.”
Many hackers have turned to bounty platforms and other intermediaries for better protection from legal fallout. Other vulnerabilities have never been disclosed or fixed because of fear of prosecution, said Andrew Crocker, a lawyer at the nonprofit Electronic Frontier Foundation who often advises hackers.
“The first conversation is that CFAA has criminal and civil remedies, and if things go poorly, it is entirely possible that the federal government will bring charges,” Crocker told The Washington Post. “Some of the factors are beyond their control, such as whether the company sees them as a good guy or bad guy, whether the company has a good relationship with the local U.S. attorney’s office, and whether the company has clout in D.C.”
Even among hackers who are by nature risk-takers, the fear of criminal action frequently dissuades them from disclosing important findings that could help the companies, Crocker said.
The language of the policy explanation still leaves room for judgment calls in an area of high tension and overlapping motives, Crocker and others noted.
“What if the goals include speaking at [a security conference] or collecting a bounty? Is that not pure research?”
Security experts said they would prefer that Congress overhaul the 35-year-old law, since judges apply the existing law as they see fit and especially since another Justice Department could reverse the policy.
But they said they were glad of any steps in that direction.
“This is a huge victory for our cause!” tweeted hacker rights nonprofit Hacking is not a Crime.