The U.S. Justice Department has amended the Computer Fraud and Abuse Act (CFAA).
Now U.S. authorities will not punish hackers who look for holes in security systems without malicious intent.
The law specifies that searching for vulnerabilities for the purpose of extortion cannot be considered bona fide, even if the hacker characterizes it as research. The DOJ recommends that prosecutors consult with the Criminal Division's Computer Crime and Intellectual Property Section (CCIPS) to determine bona fides.