Coming in from the Cold: A Safe Harbor from the CFAA and the DMCA §1201 for Security Researchers

43 Pages Posted: 20 Oct 2017  

Daniel Etcovitch

Harvard Law School

Thyla van der Merwe

Royal Holloway University of London

Date Written: October 19, 2017

Abstract

We propose a statutory safe harbor from the CFAA and DMCA §1201 for security research activities. Based on a responsible disclosure model in which a researcher and vendor engage in a carefully constructed communication process and vulnerability classification system, our solution would enable security researchers to have a greater degree of control over the vulnerability research publication timeline, allowing for publication regardless of whether or not the vendor in question has effectuated a patch. Any researcher would be guaranteed safety from legal consequences if they comply with the proposed safe harbor process.

Keywords: vulnerability, disclosure, responsible disclosure, CFAA, DMCA, 1201, cybersecurity, software, hardware, safe harbor, publication

Suggested Citation

Etcovitch, Daniel and van der Merwe, Thyla, Coming in from the Cold: A Safe Harbor from the CFAA and the DMCA §1201 for Security Researchers (October 19, 2017). Berkman Klein Center Research Publication No. 2018-4. Available at SSRN: https://ssrn.com/abstract=3055814 or http://dx.doi.org/10.2139/ssrn.3055814

Daniel Etcovitch (Contact Author)

Harvard Law School ( email )

1563 Massachusetts Avenue
Cambridge, MA 02138
United States

Thyla Van der Merwe

Royal Holloway University of London ( email )

Egham
Surrey
TW20 0EX
United Kingdom

Register to save articles to
your library

Register

Paper statistics

Downloads
37
Abstract Views
199
PlumX