The US Department of Justice (DoJ) recently announced that it will not prosecute “good faith” hackers in a historic policy shift. Up until this point, even white hat hackers could be prosecuted under the Computer Fraud and Abuse Act (CFAA), even when done to improve cybersecurity. The DoJ identified good-faith hacking as accessing devices solely for the purposes of investigation, correction of a security, flaw or vulnerability, in situations in which no harm will be committed to individuals or the public, and where the information derived is being used to promote safety or security. The move takes effect immediately and will hopefully eliminate the threat of prosecution from the industry.
In addition, cybersecurity practices may be enhanced by enabling security researchers to identify vulnerabilities in organizations and complete important cybersecurity processes such as bug bounties without fear of prosecution. The DoJ clarified that the new policy is not, however, going to be a way for those acting in bad faith to avoid trouble with the law. This includes individuals who discover vulnerabilities for the purpose of extorting the owners even if the process is labeled as cybersecurity research.
Read More: DoJ Says White Hat Hackers Will No Longer Face Prosecution
