The guidance defines good faith to mean research aimed primarily at improving the safety of sites, programs or devices, as opposed to exploration aimed at demanding money in exchange for withholding disclosure or exploitation of a security flaw.
Companies can still sue those who claim to be acting in good faith, and officials could continue to charge hackers under state laws that often echo the CFAA. But most state prosecutors tend to follow federal guidance when their laws are similar.
Well-intentioned hackers in the past were routinely silenced by legal threats. Even in recent years, civil suits and criminal referrals have been used to cancel public talks on dangerous vulnerabilities or cast doubt on research findings.
In 2019, a mobile voting company, Voatz, referred to the FBI a Michigan college student who was researching its app for a course. Twenty years ago, a former employee of email provider Tornado Development served more than a year in prison on federal CFAA charges after the company refused to fix security flaws and he emailed their customers about it.
In a case that drew national attention in October, the governor of Missouri threatened hacking charges against a local newspaper that examined the publicly available source code of a government website and then warned the state that it was exposing the Social Security numbers of 100,000 educators.
The Justice Department did not respond to a question about what prompted the new policy.
But security work…