| ▲ | ecb_penguin 14 hours ago | |
> Doesn't this posture also criminalize white-hat hackers, whose disclosures would protect you from the people who actually want to do damage? There is no law for "white-hat hackers". You don't get to break into a system because the color of your hat. "White-hat hackers" have contracts, or very specific rules of engagement. Having run many a bug bounty, if someone was malicious, we would absolutely work to prosecute. You can also find bugs in software freely, as long as you don't obtain unauthorized access to other people's systems. | ||
| ▲ | tptacek 14 hours ago | parent [-] | |
This isn't true: there is, jurisdictionally dependent and I think also dependent on DOJ norms, a broad exception for good-faith white hat vulnerability research that would otherwise violate CFAA. Like I said, CFAA is very complicated in practice. | ||