Coming in from the Cold: A Safe Harbor from the CFAA and the DMCA §1201 for Security Researchers
43 Pages Posted: 20 Oct 2017 Last revised: 18 Jun 2018
Date Written: June 1, 2018
We propose a statutory safe harbor from the CFAA and DMCA §1201 for security research activities. Based on a responsible disclosure model in which a researcher and vendor engage in a carefully constructed communication process and vulnerability classification system, our solution would enable security researchers to have a greater degree of control over the vulnerability research publication timeline, allowing for publication regardless of whether or not the vendor in question has effectuated a patch. Any researcher would be guaranteed safety from legal consequences if they comply with the proposed safe harbor process.
Keywords: vulnerability, disclosure, responsible disclosure, CFAA, DMCA, 1201, cybersecurity, software, hardware, safe harbor, publication
Suggested Citation: Suggested Citation