It's taken years, but finally, cybersecurity professionals have been given license to reverse engineer technology.

The US government have updated and published a new list of exemptions to the Digital Millennium Copyright Act, a move perhaps long-overdue which will protect cybersecurity professionals from prosecution when reverse-engineering products for research purposes.

On Friday, the US Copyright Office and the Librarian of Congress published the updated rules on the federal register.

The DMCA regulations now include exceptions relating to security research and vehicle repair relevant to today's cybersecurity field. For the next two years, researchers can circumvent digital access controls, reverse engineer, access, copy and manipulate digital content which is protected by copyright without fear of prosecution -- within reason.

The exceptions to Section 1201 of the DMCA were born from two years of prompting by the Electronic Frontier Foundation (EFF) and other public interest groups.

While the DMCA makes it illegal to circumvent controls that prevent access to copyrighted material, researchers are now able to find vulnerabilities and bugs by reverse engineering or circumventing controls in the spirit of what the US Federal Trade Commission (FTC) calls "good faith" research.

If research is conducted in "good faith," the FTC defines such as:

"Accessing a computer program solely for purposes of good-faith testing, investigation and/or correction of a security flaw or vulnerability, where such activity is carried out in a controlled environment designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices or machines on which the computer program operates, or those who use such devices or machines, and is not used or maintained in a manner that facilitates copyright infringement."

The list of exemptions include:

  • Computer programs operating on legal devices and software reverse engineered for cybersecurity research
  • Consumer devices, such as smartphones, tablets and voting machines for research purposes
  • Vehicle testing
  • Medical device exploration by patients to access data
  • Video games, libraries and video streaming for educational purposes


Read more: US DMCA rules updated to give security experts legal backing to research | ZDNet