[rtpg]

I understand that it's good to have cover for this sort of thing.

I think the line is pretty grey though.

One analogy is telling a company that their front door is unlocked.

Another analogy is going into an unlocked front door, and going deeper into the building, and then reporting to the company that you could, in fact, get to classified information from this door.

IRL Pentesters get permission before trying to sneak into buildings, so there's some argument for it being the same for these sorts of things.

EDIT: I 100% think that users that are acting in good faith shouldn't be thrown in prison. This case is a pretty good example of this

[loup-vaillant]

Note: the nature of the reported vulnerability was such that the teenager didn't even have to access the servers to do it —only change a value that was sent by his own browser.

If that was tantamount to not-breaking & entering, it means the it is okay to legally forbid step by step debugging on your own computer. That it may not be legal to inspect code from another company, even if it runs on your computer. That whatever the code decides (here, the price of the ticket), must be observed by the rest of the system (here, the price sent in the HTTP request wasn't the price decided by the web page).

The consequences of such thinking are chilling. If this is the kind of cyberpunk we're heading to, I'll seriously consider becoming a Runner.

[qb45]

On the Internet there is also the problem of remote attackers. Even if you preemptively jail all people in your jurisdiction, your system still isn't safe. It doesn't make any sense at all to call sending some malicious data to your server "breaking in" when anybody and his dog can do it from the comfort of their chair on the other side of the planet.

[etatoby]

it means that it is okay to legally forbid step by step debugging on your own computer. That it may not be legal to inspect code from another company, even if it runs on your computer. That whatever the code decides, must be observed by the rest of the system

I don't know about Hungary, but in the US the DMCA has exactly these provisions.

[alanfranzoni]

When you test for a vulnerability, many times you don't know whether it actually works unless you go "deep into the building".

In this situation, it would have been difficult to report the parameter tampering without verifying that it actually worked (there're systems that pass params back and forth without apparent use, but they throw an error when client and server states don't match) - and, most probably, the report would have been ignored without the verification.

[imhoguy]

Exactly. Often to validate the door is unlocked one needs to use the knob and open it a little - shall one get a permission for that just for a sake of a check. Is this already a breach to open the door without crossing the threshold?

[TomK32]

Friends of mine have a small company (and a nice Ultimaker 2) and left their front door wide open, lights on and went home one evening. However one manages to do that. I called them, stayed a bit to secure it and since then it's free print and free beers for me :)

[madaxe_again]

I disagree. It's more akin to trying the handle on the door, and noticing it's unlocked, and then telling them, and being arrested for touching the door handle.