Coming in from the Cold: A Safe Harbor from the CFAA and the DMCA §1201 for Security Researchers

43 Pages Posted: 20 Oct 2017 Last revised: 18 Jun 2018

See all articles by Daniel Etcovitch

Daniel Etcovitch

Harvard Law School

Thyla van der Merwe

University of London - Royal Holloway College

Date Written: June 1, 2018

Abstract

We propose a statutory safe harbor from the CFAA and DMCA §1201 for security research activities. Based on a responsible disclosure model in which a researcher and vendor engage in a carefully constructed communication process and vulnerability classification system, our solution would enable security researchers to have a greater degree of control over the vulnerability research publication timeline, allowing for publication regardless of whether or not the vendor in question has effectuated a patch. Any researcher would be guaranteed safety from legal consequences if they comply with the proposed safe harbor process.

Keywords: vulnerability, disclosure, responsible disclosure, CFAA, DMCA, 1201, cybersecurity, software, hardware, safe harbor, publication

Suggested Citation

Etcovitch, Daniel and van der Merwe, Thyla, Coming in from the Cold: A Safe Harbor from the CFAA and the DMCA §1201 for Security Researchers (June 1, 2018). Berkman Klein Center Research Publication No. 2018-4, Available at SSRN: https://ssrn.com/abstract=3055814 or http://dx.doi.org/10.2139/ssrn.3055814

Daniel Etcovitch (Contact Author)

Harvard Law School ( email )

1563 Massachusetts Avenue
Cambridge, MA 02138
United States

Thyla Van der Merwe

University of London - Royal Holloway College ( email )

Egham
Surrey
TW20 0EX
United Kingdom

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
259
Abstract Views
1,691
Rank
228,715
PlumX Metrics