Cyber leaders urge SCOTUS to narrow CFAA scope to protect vulnerability research tactics

Leaders from both the private and public sectors united to oppose an amicus brief filed with the Supreme Court that they say advocates a broad interpretation of the Computer Fraud and Abuse Act (CFAA) and could peg independent security researchers as threats.

The coalition contended that a recent filing by blockchain voting company Voatz in Van Buren v. United States fundamentally misrepresented “widely accepted practices in security research and vulnerability disclosure, and that the broad interpretation of the CFAA threatens security research activities at a national level.”

At issue in Van Buren, set to be heard by the court in October, is whether it is a federal crime for someone with permission to access information on a computer to do so for an improper purpose. The case could modernize and alter the scope of the Computer Fraud and Abuse Act (CFAA).

“A broad interpretation of the CFAA would magnify existing chilling effects, even when there exists a societal obligation to perform such research,” the group wrote in a formal letter to the court.

“Coordinated vulnerability disclosure (CVD) is a standard, widely adopted practice in which the public may engage in the process of security research and safely report vulnerabilities to organizations,” the letter said, explaining that “researchers give organizations a reasonable set timeframe to fix a vulnerability before disclosing it publicly; organizations in turn agree to consider such activities authorized and not take legal action against such research."

While vulnerability disclosure policies and bug bounties help mitigate, they “do not solve, the broader chilling effects of the law toward security research” and even a company that offers safe harbor through such a policy “may still take legal action against security researchers,” the coalition wrote. Under a broad interpretation of the CFAA, the same would be true. “A failure to comply with any component of a vulnerability disclosure policy would itself constitute a contractual violation, and hence a CFAA violation, even if the policy specifically authorizes testing,” they said. Even under a policy’s safe harbor, “the promise only binds the company itself and “the reach of that protection is insufficient since security research can often involve a company’s vendors or third-party services.”

The group accused Voatz of acting in bad faith toward CVD. “In coordinated vulnerability disclosure, both parties agree to play by established rules in order to improve the state of security, and Voatz has not followed the rules of its own policies,” they wrote.

“In 2019, as acknowledged by the company in its court brief, Voatz referred a student security researcher to state authorities for what its CEO alleged was ‘unauthorized activity’…despite purporting to offer a safe harbor as part of its bug bounty program, which stated at the time of the student’s testing that ‘[a]ny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you,’” the group said. But shortly after the incident became public, “Voatz retroactively updated its safe harbor to disallow the student’s activity.”

The group urged SCOTUS to heed the guidance of Electronic Frontier Foundation and a coalition of security experts, Professor Orin Kerr, Atlassian, Mozilla, and Shopify who advocate a narrow interpretation of the CFAA.

“A broad reading of ‘exceeds authorized access’ in the CFAA will have a chilling effect on security research, and leaves us all less secure,” said Alex Rice, CTO and co-founder of HackerOne, a member of the coalition that signed the formal letter.

“Hackers are here to defend every aspect of our lives. From finding vulnerabilities in social networking software housing precious data to searching for security holes in elections systems, our democracy directly depends on those who can preserve our information and our votes from being abused,” said Rice. “This work is vital — even required for federal civilian agencies under CISA’s Binding Operational Directive 20-01 — and we must establish the proper protections for those who do it.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.