A US Supreme Court case that could expand the Computer Fraud and Abuse Act (CFAA) to include prosecuting "improper" uses of technology not specifically allowed by software makers will chill security research and could be used to punish other fair uses of technology, a group of nearly 70 vulnerability researchers and security firms said in a letter published on September 14.
The letter — signed by computer scientists from the University of Michigan and Johns Hopkins University, as well as security firms Bugcrowd, HackerOne, and Trail of Bits, among others — is a response to a legal filing by e-voting firm Voatz in a case that could expand the definition of "exceeds authorized access" under the CFAA to include violations of user agreements and software licenses. While Voatz has participated in bug bounty programs granting participants legal protections, the firm also has reported a student researcher to state officials, dismissed serious vulnerabilities found by three researchers from the Massachusetts Institute of Technology, and even downplayed a third-party audit of their entire systems by security firm Trail of Bits that both confirmed the MIT findings and also found even more critical vulnerabilities.
"Voatz's insinuation that the researchers broke the law despite having taken all precautions to act in good faith and respect legal boundaries shows why authorization for this research should not hinge on companies themselves acting in good faith," the security researchers say in the letter, referring specifically to the MIT case. "To companies like Voatz, coordinated vulnerability disclosure is a mechanism that shields the company from public scrutiny by allowing it to control the process of security research."