Laws that restrict hacking have changed in the last 2 years. In several ways, the changes are beneficial to security research. However, other laws have not evolved and continue to equate good faith security research with malicious hacking, and some laws create new liability for security research and vulnerability disclosure.
This presentation will provide an overview of the current legal landscape for security research–what has improved, what needs to change, and the areas of greatest legal risk for both hackers and the hacked. This will include an explanation of changes to US major anti-hacking laws–CFAA, DMCA Sec. 1201, and state laws. The presentation will also summarize developments on international laws such as China’s vulnerability disclosure law and the UK’s Computer Misuse Act. Finally, the presentation will provide suggestions on where the community should focus next to advocate for better legal protections for security research, vulnerability disclosure, and security tools.
Key takeaways include a basic understanding of major US hacking laws, recent changes to legal restrictions on security research and vulnerability disclosure, and opportunities for engagement on policy to protect good faith security research.