Doesn't this posture also criminalize white-hat hackers, whose disclosures would protect you from the people who actually want to do damage?

▲

ecb_penguin 14 hours ago | parent | next [-]

> Doesn't this posture also criminalize white-hat hackers, whose disclosures would protect you from the people who actually want to do damage?

There is no law for "white-hat hackers". You don't get to break into a system because the color of your hat.

"White-hat hackers" have contracts, or very specific rules of engagement. Having run many a bug bounty, if someone was malicious, we would absolutely work to prosecute.

You can also find bugs in software freely, as long as you don't obtain unauthorized access to other people's systems.

	▲	tptacek 14 hours ago \| parent [-]
		This isn't true: there is, jurisdictionally dependent and I think also dependent on DOJ norms, a broad exception for good-faith white hat vulnerability research that would otherwise violate CFAA. Like I said, CFAA is very complicated in practice.

▲

dpassens 14 hours ago | parent | prev [-]

(I don't know enough about the CFAA to know whether this is true so I'll assume it is.)

To continue the garage door analogy, you wouldn't walk up to any random garage door and try code 12345 to help protect the owner's stuff, would you?

	▲	RankingMember 12 hours ago \| parent [-]
		To stick with this analogy: I think a white hat equivalent would be more like driving down the street with a garage door remote set to a default code and then notifying anyone whose door opens in response that they should change their code. I don't think that should be illegal.