The US Department of Justice (DoJ) has relaxed its treatment of ethical hackers.
Hackers performing “good faith” security research will no longer be charged under the Computer Fraud and Abuse Act (CFAA).
The department defined “good faith” security research as accessing a computer solely for the purpose of “good faith testing, investigation, or correction of a security breach or vulnerability, where such activity is conducted in a manner designed to avoid harm to individuals or the public”.
What is now allowed?
However, the DoJ stresses that claiming to conduct security research is not a “free pass” for those acting in bad faith.
For example, the DoJ has clarified that finding vulnerabilities in devices to extort their owners, even if claimed as “research”, is not bona fide.
The policy advises prosecutors to consult with the Computer Crimes and Intellectual Property Section (CCIPS) of the Criminal Division on specific applications of this factor.
The DoJ was also able to confirm that certain activities would not be sufficient to warrant federal criminal charges.
These include creating misleading profiles on dating sites; create fictitious accounts on hiring, housing, or rental websites; use a screen name on a social networking site that prohibits them; checking sports scores at work; pay bills at work; or violate any access restriction contained in a terms of service.
All federal prosecutors who wish to charge cases under the Computer Fraud and Abuse Act are required to follow the new policy and consult with CCIPS before bringing charges.
Prosecutors must notify the Deputy Attorney General (DAG), and in some cases receive approval from the DAG, before indicting a CFAA case if the CCIPS advises against it.
The new policy, which takes effect immediately, replaces a previous one issued in 2014.
Independent hackers are increasingly playing a role in discovering cybersecurity vulnerabilities.
A lone wolf researcher by the name of hyp3rlinx has discovered that some of the most popular ransomware strains, such as Conti, REvil, LockBit, and many others, have a flaw that makes them vulnerable to DLL hacking.