[cookiecaper]

Yeah, the law in the US forbids accessing any information in a way that is either unauthorized or "exceeds authorized access" from any computer protected by federal law (any computer connected to the internet). The existence of a bug bounty program probably puts this issue within the "exceeds authorized access" category, and there have already been spats between security researchers and companies over where exactly the line of demarcation between beneficial research and malicious exploitation lies.

This is not the kind of thing you want to risk having to depend on a jury to justly decide -- juries have an atrocious record with technical subjects, and if you can't afford a world-class lawyer (which, for reference, is going to cost around a million dollars), your chances are even worse.

If the company informs the US Attorney about the case as a scare tactic, there's no guarantee that the attorney will back off when/if the company and the researcher reach an understanding. It's somewhat unlikely that they would, in fact, as "cybercrime prosecution" seems to be a widely-desired bullet point for prosectors' resumes. This is surely the only motive that existed behind the prosecution of Aaron Swartz.

If the plan is to take advantage of bug bounty programs, I believe the wise thing is to conceal your real identity. Anything that could potentially result in a CFAA claim or charge is much safer that way.