[cookiecaper]

The CFAA forbids both "unauthorized" access and "exceeding authorized" access. A CFAA case involving a bug bounty program, either criminal or civil, would allege that the accused exceeded authorized access if it was thought that the existence of the bug bounty program was authorization.

There are other factors that come into play here too depending on the specific wording of the site's ToS and the bug bounty participation agreements/whatever. Access may be totally unauthorized, if, for example, one uses an automated scanning tool like sqlmap, as most sites have a ToS that bans any "automated access".

And there is the first factor, which is that if you're being sued by someone who is big enough for a bug bounty program, no normal person is going to be able to fight it, and if that company tells the prosector's office about you, you're going to have a hard time shaking them off as well.