The Security Researcher Who Took On the US Legal System and Won an MBE Doing It

Jen Ellis started out running PR for a cybersecurity firm. She ended up testifying before Congress, brokering a peace deal between hackers and the Justice Department, and picking up a royal honour along the way.

ThreatVectr Newsdesk· 4 min read
A wide 16:9 editorial photograph of an empty wood-panelled congressional hearing room, rows of microphones on a long curved dais, overhead lights casting a warm
Share

Key points

  • In 2013, security researcher HD Moore faced potential federal prosecution for legitimate scanning research, which spurred Jen Ellis to campaign for legal reform.
  • Ellis secured a 2016 policy requiring federal prosecutors to consult the Justice Department's Computer Crime unit before charging security researchers.
  • A 2022 Justice Department directive discouraged prosecutors from pursuing good-faith security researchers, a milestone shaped in part by Ellis's decade of advocacy.
  • In summer 2025, Ellis was awarded a Member of the Order of the British Empire (MBE) for her contributions to cybersecurity policy.
  • Ellis testified before Congress in July 2015 as the sole witness not in favour of a proposed cybercrime bill that would have made legitimate security research harder.

Jen Ellis did not set out to become one of the most consequential voices in cybersecurity policy. She set out to stop a friend from getting prosecuted for doing his job well.

That friend was HD Moore, the creator of Metasploit, a widely used security-testing tool. In 2013, Moore ran a project called Critical.io, which scanned large parts of the internet to find security weaknesses before criminals could exploit them. The US Department of Justice (DoJ) threatened him with prosecution anyway. Legal trouble dragged on for three months. Moore began questioning whether security research was worth the risk.

Ellis, who was handling communications for security firm Rapid7 and had collaborated closely with Moore, was furious. Not at him. At the system.

How did one PR professional change federal law?

She walked into the office of Rapid7's then-chief executive, Corey Thomas, and told him she wanted to change the law. She had no legal training and no policy experience. Thomas told her to try. He said it would probably take up five percent of her time.

It did not take up five percent of her time.

Ellis dug into the Computer Fraud and Abuse Act, or CFAA, a federal law that criminalises unauthorised access to computer systems but which critics say is written so broadly that it can catch researchers acting in good faith. She also studied the Digital Millennium Copyright Act, or DMCA, a law originally aimed at stopping piracy but one that researchers had found could be used to block legitimate security testing of software. What she found made her more indignant, not less.

Her first real breakthrough came in 2014, when she contacted the DoJ's Computer Crimes and Intellectual Property Section. She expected a polite brush-off. Instead, prosecutors told her they shared her concern and wanted to help. One of those prosecutors, Leonard Bailey, became a key partner. Ellis persuaded him to attend the Black Hat security conference in Las Vegas, where she gathered roughly two dozen researchers, including the late Dan Kaminsky, for a frank conversation with the federal government.

This was one year after the death of Aaron Swartz, a programmer who faced federal charges under the CFAA for downloading academic articles. Distrust between the security community and law enforcement was at a high point. Getting experienced researchers to sit respectfully across from a federal official took real credibility. Bailey later said the meeting could not have happened without Ellis.

The tension in the room ran hot for about an hour. Then, Bailey recalls, the conversation shifted toward what both sides had in common: protecting people and networks.

That meeting produced results. A 2016 policy required federal prosecutors to consult the Computer Crimes unit before bringing any CFAA charges against researchers. Years of further campaigning, alongside groups including the Electronic Frontier Foundation, led to a 2022 DoJ directive discouraging prosecutors from pursuing good-faith security researchers altogether.

In July 2015, Ellis had what she calls her "crazy two weeks": testifying before Congress against a proposed cybercrime bill in one week, then ringing the opening bell at NASDAQ when Rapid7 went public in the next. She was the only witness at that hearing who was not in favour of the bill. Two senators told her they would engage on researcher-protection reform. It was the first time anyone in Congress had said so.

This summer, the British government awarded Ellis an MBE, one of the United Kingdom's honours for people who have made a significant contribution to their field. Her LinkedIn response promised her American friends they were now required to curtsey whenever they saw her.

For ordinary people, the practical payoff from this work is straightforward. Security researchers finding flaws in hospital software, banking apps, or the systems that run traffic lights are more able to report those flaws without fearing prosecution. That means weaknesses are more likely to get fixed before criminals find them first.

Further background on this story was drawn from Dark Reading's profile of Ellis.

© 2026 Threat Vectr