[LogonType10]

>This sounds like no one should be a security researcher for they risk paying companies to implement the security the company should have implemented anyway.

No, read again, this only refers to damages from unlawful activity. "White hat hackers" need not fear.

[jacquesm]

I wouldn't be so sure about that. The difference between white hat and black hat is usually only determined once the destination of the results of the activity is known. Plenty of bug bounty programs appear to be one element in the marketplace for valuing an exploit. If the bounty isn't high enough your 'white hat' may well change the color of their hat.

[LogonType10]

So... People who aren't criminals... Might become criminals... After committing a crime... I guess?

[AnthonyMouse]

Assuming they're lawyers who know every law and don't get skewered by something like DMCA 1201.