[jforman]

There is no mens rea or actual harm involved in legit white hat hacking, including white hat hacking that is incentivized through bug bounties, so this activity is not criminal.

We don't know all of the specifics here, but for the feds to go after it one must assume that there was mens rea for the underlying offense (i.e., the hackers were in fact black hat) and there was actual harm (i.e., the hackers kept the stolen data and either intended to or did in fact use it for criminal purposes).

And in order to go after charges of obstruction and misprision, the DoJ must also believe that Sullivan was clearly aware that this behavior was criminal, and he intentionally sought to cover it up. This isn't much of a stretch because the FTC was probing it, so there was ample opportunity for him to respond incorrectly (and, allegedly, criminally) to FTC's questions during their probe.

[AmericanChopper]

In practice the line between bug bounties and extortion can often be a bit blurry, as well as the line between proving an exploit exists and actually exploiting it.

I think you’d need a lot more information to draw a reasonable conclusion. That said the prosecutors arguments that $100,000 is so much that it implies criminality, and that NDAs are non-standard (or that they also imply criminality) is complete and utter BS, and instantly makes me incredibly skeptical of the theories they’re operating on.

[JakeTheAndroid]

The same two people that carried out the Uber hack also hit Lynda.com while after using basically the exact same methodology. So, it would seem possible that they had credible evidence of a felony with intent to commit future ones.