[DanielShir]

That's absolutely right. I haven't disclosed vulnerabilities for several websites because of this exact reason. If there's no bug bounty program, then you're liable and can be criminally prosecuted (and I know cases where the person was sued in civil court as well).

[cookiecaper]

Don't expect a bug bounty program to protect you. I'm not a security researcher, but if I wanted to be one, I would do what I could to conduct that business pseudonymously instead of trusting that the company would stick to the representations made in the bug bounty program.

Remember that the CFAA has both a civil and a criminal component; if the state decides to charge you, the opinion of the company whose computers you illegally accessed does not necessarily matter. JSTOR asked Carmen Ortiz to drop the charges against Aaron Swartz and she declined to do so.

[cyphar]

A bug bounty acts as a legal agreement (read: implicit contract). The CFAA doesn't void contracts between two parties.

[ajnin]

I'm not familiar with US law so I might be wrong but I believe in the case of crimes the perpetrators get prosecuted by the state, not the targeted company, so any implied contract would be irrelevant.

[maxerickson]

The bug bounty authorizes access for the purposes of finding and reporting issues.

The relevant parts of the CFAA are aimed at unauthorized access.

[cookiecaper]

The CFAA forbids both "unauthorized" access and "exceeding authorized" access. A CFAA case involving a bug bounty program, either criminal or civil, would allege that the accused exceeded authorized access if it was thought that the existence of the bug bounty program was authorization.

There are other factors that come into play here too depending on the specific wording of the site's ToS and the bug bounty participation agreements/whatever. Access may be totally unauthorized, if, for example, one uses an automated scanning tool like sqlmap, as most sites have a ToS that bans any "automated access".

And there is the first factor, which is that if you're being sued by someone who is big enough for a bug bounty program, no normal person is going to be able to fight it, and if that company tells the prosector's office about you, you're going to have a hard time shaking them off as well.

[cookiecaper]

Yeah, the law in the US forbids accessing any information in a way that is either unauthorized or "exceeds authorized access" from any computer protected by federal law (any computer connected to the internet). The existence of a bug bounty program probably puts this issue within the "exceeds authorized access" category, and there have already been spats between security researchers and companies over where exactly the line of demarcation between beneficial research and malicious exploitation lies.

This is not the kind of thing you want to risk having to depend on a jury to justly decide -- juries have an atrocious record with technical subjects, and if you can't afford a world-class lawyer (which, for reference, is going to cost around a million dollars), your chances are even worse.

If the company informs the US Attorney about the case as a scare tactic, there's no guarantee that the attorney will back off when/if the company and the researcher reach an understanding. It's somewhat unlikely that they would, in fact, as "cybercrime prosecution" seems to be a widely-desired bullet point for prosectors' resumes. This is surely the only motive that existed behind the prosecution of Aaron Swartz.

If the plan is to take advantage of bug bounty programs, I believe the wise thing is to conceal your real identity. Anything that could potentially result in a CFAA claim or charge is much safer that way.

[cyphar]

Not if the contract states "this is authorized access". Then it's relevant.

[CiPHPerCoder]

> That's absolutely right. I haven't disclosed vulnerabilities for several websites because of this exact reason.

Depending on how you learned of said vulnerabilities, you might still be culpable for the mere act of discovering them.