Public Policy

Advancing smart cybersecurity and supporting the infosec community

Our modern lives increasingly rely on interconnected and complex technologies: in our homes, our critical infrastructure, our healthcare, everywhere. Enabling society to safely reap the benefits of this technology requires strong cybersecurity policies, practices, and awareness. To advance this cause, Rapid7 works with governments, companies, non-profits, and experts to shape policies, standards, and legislation that benefit consumers and defend responsible cybersecurity practitioners.

Rapid7’s public policy mission is part of our strong commitment to supporting the infosec community and advancing smart cybersecurity. Here are some examples of our cybersecurity policy work:

Our community philosophy

We believe security is the responsibility of all technology users, manufacturers, and intermediaries and that collaboration is the only way to achieve long-term change. That’s why we’re committed to openly sharing security information, helping our peers to learn, grow, and develop new capabilities, and supporting each other in raising and addressing issues that affect the cybersecurity community.


Computer Access Laws  

We believe laws restricting access to, and use of, computers should carefully balance the need to combat cybercrime with security research, innovation, and other legitimate activity.


Independent security research is valuable for advancing cybersecurity, but the Computer Fraud and Abuse Act (CFAA) makes little distinction between beneficial research and malicious hacking. We support responsible CFAA reforms and clarifications to shield security researchers and internet users from overbroad liability.

Read more


The Digital Millennium Copyright Act (DMCA) currently hinders good faith security research by restricting the ability to analyze software for vulnerabilities. We support changes to extend protections to security researchers without diminishing copyright.

Read more


Rapid7 occasionally advises states on computer access laws to protect consumers and businesses while avoiding obstacles to research and innovation.

Read More

Vulnerability Handling and Disclosure  

As the volume and complexity of digital products and services grow, companies and government agencies need policies and practices for handling security vulnerabilities.

NIST framework

NIST, a technical standards-setting body in the U.S. Dept. of Commerce, developed a framework for cybersecurity practices that is in wide use in government, critical infrastructure, and other areas. Rapid7, in coordination with dozens of other security community members, is working to incorporate vulnerability disclosure and handling processes into the Framework.

Read more

NTIA process

NTIA, a branch of the U.S. Department of Commerce, is hosting a process for researchers and companies to develop principles for coordinated disclosure of security vulnerabilities. Rapid7 actively participates in this process to advance the adoption of productive vulnerability disclosure and handling practices by both technology providers and security researchers.

Read more