The Department of Justice has officially revised its policy regarding a controversial law in a bid to encourage more activity from security researchers—sometimes referred to as white-hat hackers—who can find cybersecurity bugs and alert authorities for remediation before adversaries get to them.
The law in question—the Computer Fraud and Abuse Act, or CFAA—gained notoriety within the vulnerability disclosure community following, among others’, the department’s prosecution of Aaron Schwartz. Schwarz was a Harvard University research fellow who was fined $1 million and sentenced to 50 years in prison under the law for siphoning documents from JSTOR, a digital repository of academic journals.