Security News > 2022 > May > U.S. DOJ will no longer prosecute good-faith security researchers under CFAA

The U.S. Department of Justice announced the revision of its policy regarding charging violations of the Computer Fraud and Abuse Act, which says that, among other things, good-faith security researchers will no longer be charged and prosecuted.

Good faith security research means accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.

"Computer security research is a key driver of improved cybersecurity," said Deputy Attorney General Lisa O. Monaco.

"The department has never been interested in prosecuting good-faith computer security research as a crime, and today's announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good."

The new policy acknowledges that claiming to be conducting security research is not a free pass for those acting in bad faith.

All federal prosecutors who wish to charge cases under the Computer Fraud and Abuse Act are required to follow the new policy, and to consult with CCIPS before bringing any charges.

News URL

https://www.helpnetsecurity.com/2022/05/19/security-researchers-cfaa/