Based on the extensive public feedback on the May 2015 rule (80 FR 28853) that BIS proposed, the U.S. went back to Wassenaar in 2016 and 2017 to negotiate changes to the text in order to minimize the negative impacts the entries would have. The changes that were published are the result of those negotiations. https://www.bis.doc.gov/index.php/regulations/federal-register-notices/17-regulations/816-federal-register-notices-2015#FR28853

There are two changes that were made to the text. First, Notes were added to the entry for the “technology” for the “development” of “intrusion software”. The note clarifies that technology exchanged for vulnerability disclosure or cyber incident response purposes (as defined) are not controlled.

The second change is a Note added to the 4.D.4 control on the command and delivery platform for “intrusion software”. The note clarifies that software that provides software updates or upgrades are not controlled by the entry, as long as the software is not designed to update “intrusion software” or command and delivery platforms, or turn something into “intrusion software” or a command and delivery platform.