Public PolicyAdvancing smart cybersecurity and supporting the infosec community
Our modern lives increasingly rely on interconnected and complex technologies: in our homes, our critical infrastructure, our healthcare, everywhere. Enabling society to safely reap the benefits of this technology requires strong cybersecurity policies, practices, and awareness. To advance this cause, Rapid7 works with governments, companies, non-profits, and experts to shape policies, standards, and legislation that benefit consumers and defend responsible cybersecurity practitioners.
Rapid7’s public policy mission is part of our strong commitment to supporting the infosec community and advancing smart cybersecurity. Here are some examples of our cybersecurity policy work:
Our community philosophy
We believe security is the responsibility of all technology users, manufacturers, and intermediaries and that collaboration is the only way to achieve long-term change. That’s why we’re committed to openly sharing security information, helping our peers to learn, grow, and develop new capabilities, and supporting each other in raising and addressing issues that affect the cybersecurity community.
Computer Access LawsWe believe laws restricting access to, and use of, computers should carefully balance the need to combat cybercrime with security research, innovation, and other legitimate activity.
Independent security research is valuable for advancing cybersecurity, but the Computer Fraud and Abuse Act (CFAA) makes little distinction between beneficial research and malicious hacking. We support responsible CFAA reforms and clarifications to shield security researchers and internet users from overbroad liability.
- Why I Don’t Dislike the Whitehouse/Graham Amendment
- Will the President’s Cybersecurity Proposal Make Us More Secure?
- How Do We De-Criminalize Security Research?
The Digital Millennium Copyright Act (DMCA) currently hinders good faith security research by restricting the ability to analyze software for vulnerabilities. We support changes to extend protections to security researchers without diminishing copyright.
- Joint comments to Copyright Office on specific DMCA reforms to protect security researchers
- Rapid7 joint comments to the Copyright Office on reforming DMCA to protect cybersecurity research
- Rapid7, Bugcrowd, and HackerOne file pro-researcher comments on DMCA Sec. 1201
- New DMCA Exemption is a Positive Step for Security Researchers
- Rapid7 comments to the Copyright Office in support of a DMCA security researcher exemption
Rapid7 occasionally advises states on computer access laws to protect consumers and businesses while avoiding obstacles to research and innovation.
ExportsCybersecurity is a global effort that depends on the free flow of information across borders; as such, export licensing requirements for cybersecurity products should track software used for malicious purposes.
The Wassenaar Arrangement would create broad new export requirements on software. We believe it should be refined to avoid unnecessary burdens on legitimate cybersecurity products.
- Rapid7's recommended revisions to the Wassenaar Arrangement
- Rapid7's comments to the Department of Commerce on proposed rules to implement the Wassenaar Arrangement
- Rapid7's Comments on the Wassenaar Arrangement Proposed Rule for Controlling Exports of Intrusion Software
- Rapid7's response to Department of Commerce proposed rule to implement the Wassenaar Arrangement
- Rapid7 FAQ on the Wassenaar Arrangement
Vulnerability Handling and DisclosureAs the volume and complexity of digital products and services grow, companies and government agencies need policies and practices for handling security vulnerabilities.
NIST, a technical standards-setting body in the U.S. Dept. of Commerce, developed a framework for cybersecurity practices that is in wide use in government, critical infrastructure, and other areas. Rapid7, in coordination with dozens of other security community members, is working to incorporate vulnerability disclosure and handling processes into the Framework.
NTIA, a branch of the U.S. Department of Commerce, is hosting a process for researchers and companies to develop principles for coordinated disclosure of security vulnerabilities. Rapid7 actively participates in this process to advance the adoption of productive vulnerability disclosure and handling practices by both technology providers and security researchers.
Internet of ThingsThe growth of the Internet of Things (IoT) offers great benefits, but also new risks for accidental breach and intentional cyberattack.
Cybersecurity will be critical to safety, privacy, and public trust as IoT devices are more widely deployed. In addition to leading research on IoT, Rapid7 engages policymakers in considering how to best secure it.
- Rapid7 comments to the National Highway Traffic Safety Administration on cybersecurity best practices for connected vehicles
- Rapid7 comments to the Department of Commerce on cybersecurity and the Internet of Things
- Rapid7 comments to the Food & Drug Administration on post-market guidance of cybersecurity in medical devices