What counts as “bona fide security research”? – Cancer over safety


That US Department of Justice (DOJ) recently revised its policy on collecting violations of the Computer Fraud and Abuse Act (CFAA), a 1986 law that remains the primary statute under which federal prosecutors prosecute cybercrime cases. The new guidelines say prosecutors should avoid incriminating security researchers who act in “good faith” when finding and reporting vulnerabilities. However, legal experts continue to advise researchers to proceed with caution, as the new guidelines cannot be used as a defense in court, nor do they provide any sort of shield against a civil lawsuit.

in the a statesmant about the changes, Assistant Attorney General Lisa O. Monaco said the DOJ “has never been interested in prosecuting good faith computer security research as a crime,” and that the new guidelines “promote cybersecurity by providing good faith security researchers with clarity that patches vulnerabilities for the greater good.”

What constitutes “good faith security research”? The DOJ’s new guidelines (PDF) borrows language from a Library of Congress rulemaking (PDF) on the Copyright law for the digital millennium (DMCA), a similarly controversial law that criminalizes the production and distribution of any technology or service designed to circumvent measures that control access to copyrighted works. According to the government, bona fide security research means:

“…Accessing a computer solely for the purpose of testing, investigating, and/or remediating a security vulnerability or vulnerability in good faith, if that activity is conducted in a manner that avoids harm to individuals or the public, and if the information obtained from the activity , are primarily used to promote the security of the class of device, machine, or online service to which the computer being accessed belongs, or those using such device, machine, or online service.”

“Security research that is not conducted in good faith – for example, for the purpose of discovering security vulnerabilities in devices, machines or services in order to blackmail the owners of such devices, machines or services – could be classified as ‘research’, but it is not in good faith.”

The DOJ’s new policy comes in response to a Supreme Court ruling last year Van Buren versus the United States (PDF), a case involving a former Florida police sergeant who was convicted of CFAA violations after a friend paid him to use police resources to seek information about a private individual.

But in an opinion written by Justice Amy Coney Barrettthe Supreme Court held that the CFAA does not apply to any person who receives electronic information to which they are otherwise authorized to have access and then misuses that information.

Orin Kerrlaw professor University of California, Berkeley, said the DOJ’s updated policy was anticipated in light of the Supreme Court’s ruling in the Van Buren case. Kerr noted that while the new policy states that a “good faith” measure is for researchers to take steps to prevent harm to third parties, what exactly those steps might constitute is another matter.

“The DOJ makes it clear that it will not prosecute security researchers in good faith, but exercise real caution before relying on it,” Kerr said. “First, because you could still get sued [civilly, by the party to whom the vulnerability is being reported]but the line of what is legitimate security research and what is not is still unclear.”

Kerr said the new policy gives CFAA defendants no additional reason to act.

“An attorney for the defendant can claim that this is good faith safety research, but it is not enforceable,” Kerr said. “That means if the DOJ files a CFAA indictment, the defendant cannot dismiss it on the basis that it was good faith safety research.”

Kerr added that he couldn’t think of a CFAA case where that policy would have made a material difference.

“I don’t think the DOJ is giving up much, but there’s a lot of hacking that could be covered by good faith security research that they say won’t prosecute, and it’ll be interesting to see what.” happened there. ” he said.

The new policy also clarifies other types of potential CFAA violations that cannot be prosecuted. Most of these involve violations of a technology vendor’s terms of service, and here the DOJ says that “violating an access restriction contained in a terms of service is not by itself sufficient to warrant federal criminal charges.” Some examples are:

-Beautifying an online dating profile contrary to the terms of use of the dating site;
– Creating fictitious accounts on hiring, housing or rental websites;
– Using a pseudonym on a social networking site that prohibits it;
-Checking sports scores or paying bills at work.


Kerr’s warning of the dangers security researchers face from civil prosecution is well founded. KrebsOnSecurity regularly hears from security researchers asking for advice on how to handle reporting a vulnerability or data exposure. In most of these cases, the researcher is not concerned that the government is after them: rather, they are being sued by the company responsible for the vulnerability or data leak.

Often these conversations revolve around the researcher’s desire to balance the rewards of having his discoveries recognized against the risk of facing costly civil lawsuits. And almost as often, the source of researchers’ uneasiness is realizing they may have gone a little too far in their discovery.

Here’s a general example: A researcher finds a vulnerability on a website that allows him to individually retrieve each customer record in a database. But instead of simply querying a few sets of data that could be used as a proof-of-concept and shared with the vulnerable website, the researcher decides to download every single file on the server.

It’s not uncommon for researchers to suspect that their automated activities may actually have caused stability or availability issues with certain services they tested. Here, the researcher is usually apprehensive about contacting the vulnerable website or vendor, fearing that their activities may have already been identified internally as some sort of external cyberattack.

What do I take away from these conversations? Some of the industry’s most trusted and feared security researchers have earned this respect not by constantly taking things to the extreme and circumventing the law, but by publicly exercising restraint in using their powers and knowledge – and by being those insights effectively communicated in a way that maximizes help and minimizes potential harm.

If you think you’ve discovered a security vulnerability or data exposure, before embarking on any automated or semi-automated activity that the company reasonably considers a cyberattack, first try to consider how to defend your actions against the vulnerable website or vendor could misunderstand. In other words, try as best you can to minimize the potential damage to the vulnerable website or provider in question, and go no further than necessary to prove your point.


Comments are closed.