[wyldfire]

From [1] : "(ii) For purposes of this exemption, “good-faith security research” means accessing a computer program solely for purposes of good-faith testing, investigation and/or correction of a security flaw or vulnerability, where such activity is carried out in a controlled environment designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices or machines on which the computer program operates, or those who use such devices or machines, and is not used or maintained in a manner that facilitates copyright infringement."

So it seems like it's all going to be gauged in how the material is presented/hosted. The way I read it is "disclose the details of the bug and source, ok. but once you start hosting an executable like './rootmysystem' or './disable_copy_prot' then you're entering the grey area." (Or rather the decision would probably be made based on whether your website looks like one that encourages or promotes infringement versus one that promotes security.

[1] https://www.federalregister.gov/documents/2015/10/28/2015-27...