From [1] :
"(ii) For purposes of this exemption, “good-faith security research” means accessing a computer program solely for purposes of good-faith testing, investigation and/or correction of a security flaw or vulnerability, where such activity is carried out in a controlled environment designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices or machines on which the computer program operates, or those who use such devices or machines, and is not used or maintained in a manner that facilitates copyright infringement."<p>So it seems like it's all going to be gauged in how the material is presented/hosted. The way I read it is "disclose the details of the bug and source, ok. but once you start hosting an executable like './rootmysystem' or './disable_copy_prot' then you're entering the grey area." (Or rather the decision would probably be made based on whether your website looks like one that encourages or promotes infringement versus one that promotes security.<p>[1] <a href="https://www.federalregister.gov/documents/2015/10/28/2015-27212/exemption-to-prohibition-on-circumvention-of-copyright-protection-systems-for-access-control#p-193" rel="nofollow">https://www.federalregister.gov/documents/2015/10/28/2015-27...</a>
Neat. I like the exemption in principle, and the "Good Faith" condition will probably be the lynch pin that gets tested in court cases if they come up. What is Good Faith in security research is not necessarily - I don't think - a settled issue. Especially in light of the CFAA still on the books. I'd appreciate more and more clarity coming through (and augmentations to existing law to make them better) over time.<p>I wonder how the EFF will respond to this, because I recall one of their lawsuits (major?) is about DMCA exemption for security research (Plaintiff 1) but also violating DMCA in a for-profit-enterprise (Bunny).
Can't they still restrict you? For example Tesla could prevent you from connecting to their network and being able to use super chargers if you in any way 'hack' your car.
so not much has truly changed, this is a simple limited time reprieve. based on wording can you give permission for another party to work on hardware you have? As in, can a manufacturer still declare that an end user cannot grant access to another under the idea that the other party does not own the device and as such is not legally allowed to work on it?
Out of curiosity, can this apply to SaaS products at all? It seems like the provisions are relaxed in general.<p>I am curious if I could use this to reverse engineer a product that isn't hardware AND does not have explicit provisions saying that I am not allowed to reverse engineer the software.
I wonder if this new freedom to do security research can help us discover vulnerabilities in our IoT devices before they're used in another massive DDoS.