Security News > 2022 > May > U.S. DOJ will no longer prosecute ethical hackers under CFAA
With this policy update, the DOJ is separating cases of good-faith security research from ill-intended hacking, which were previously distinguished by a blurred line that frequently placed ethical security research in a problematic, gray legal area.
Under these new policies, software testing, investigation, security flaw analysis, and network breaches intended to promote the security and safety of the target devices or services are not to be prosecuted by federal prosecutors.
Good faith security research is defined as "Accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services."
It does not give a pass to hacking under the pretense of conducting security research while using said research to extort companies.
"The attorney for the government should decline prosecution if available evidence shows the defendant's conduct consisted of, and the defendant intended, good-faith security research." - U.S. DOJ. For example, if someone finds a critical vulnerability on a product and then extorts the software vendor to pay them an amount for not disclosing it to the public, that would still be regarded as a CFAA violation and charged accordingly.
The goal for CFAA enforcement remains to promote privacy and cybersecurity, so the case here is to protect security researchers from legal action launched by firms that don't distinguish between ethical reports and aggressive breaches.