Computer Access Laws
Laws restricting computer access and use should carefully balance the need to combat cybercrime with the value of supporting security research, innovation, and other legitimate activity.
DMCA
The Digital Millennium Copyright Act (DMCA) can hinder good faith security research by restricting the ability to analyze software for vulnerabilities. We support changes to extend protections for security researchers without diminishing copyright.
- 11/14/21 - Rapid7 analysis on 2021 security researcher rules
- 07/16/21 - Ex Parte letter to Copyright Office on security researcher protection
- 06/23/21 - Rapid7 joins statement on DMCA lawsuits against security tools
- 07/13/18 - Rapid7 response to DOJ letter on DMCA security researcher exemption
- 12/18/17 - Joint comments to the Copyright Office in support of strengthening the DMCA security researcher exemption
- 06/28/17 - Copyright Office Calls for New Cybersecurity Researcher Protections
- 10/27/16 - Joint comments to Copyright Office on specific DMCA reforms to protect security researcher
- 03/15/16 - Rapid7, Bugcrowd, and HackerOne file pro-researcher comments on DMCA Sec. 1201
- 10/28/15 - New DMCA Exemption is a Positive Step for Security Researchers
CFAA
Independent security research is valuable for advancing cybersecurity, but the Computer Fraud and Abuse Act (CFAA) makes little distinction between beneficial research and malicious hacking. We support responsible CFAA reforms and clarifications to protectshield security researchers and internet users from overbroad liability.
- 06/04/21 - Proposed security researcher protection under CFAA
- 06/03/21 - Analysis of Supreme Court opinion narrowing CFAA
- 07/13/20 - Rapid7 joins CFAA brief to the Supreme Court
- 10/20/15 - Why I Don't Dislike the Whitehouse/Graham Amendment
- 01/26/15 - How Do We De-Criminalize Security Research?
- 01/23/15 - Will the President's Cybersecurity Proposal Make Us More Secure?
UK Computer Misuse Act
The UK's Computer Misuse Act (CMA) imperils the sharing of defensive security tools, provides no acknowledgement of the importance of good faith security research, and fails to define what constitutes authorization for access to systems. Rapid7 supports sensible reforms that clarify these issues and advance cybersecurity without creating opportunities for abuses.
States
Rapid7 occasionally advises states on computer access laws to protect consumers and businesses while avoiding obstacles to research and innovation.
Hack Back
Authorizing private entities to take active measures in retaliation against hacking risks undermining cybersecurity and causing collateral damage.
- 06/17/21 - Rapid7 Position on Private Sector Hack Back
- 05/24/17 - Why Companies Shouldn’t Try to Hack Their Hackers
- 04/17/18 - Georgia Should Not Authorize "Hack Back"
