[mmaunder]

CFAA isn’t going away.

> If you're not going to do that, then disclose the vulnerability anonymously and cover your ass while you're testing, or just don't.

No. Just don’t. Know that video about not talking to the police because they interrogate people all day long and you’re an amateur in a pro fight? Same thing with infosec. We attribute IOCs to noobs all day long.

You don’t need a criminal record. It’ll ruin many parts of your life. I have friends who can confirm that the record they got in their late teens or early 20s closed many doors. Join a formal bug bounty platform and find legitimate work there.

[arcwhite]

> CFAA isn't going away

There's some pretty concerted efforts in play to at least have it updated and tempered, which could have legs. I don't hold much hope it'll go away but I do think some of these efforts to have it replaced could have legs.

> No. Just don’t.

Yeah, fair, I mean I'm all too aware of the consequences myself, but within this setting telling a bunch of people "thou shalt not" seems almost more harmful (IMO it's akin to saying "never roll your own crypto" which someone inevitably ends up taking as a challenge)

[Buttons840]

Until we fix the laws, I'd suggest just letting the world burn until voters and lawmakers get tired of half the country's personal data being stolen once a month and make a safer landscape for hackers to report vulnerabilities.

[borski]

I do hope those efforts succeed. I think the parent meant to state "hasn't gone away," but even if they didn't, the point remains if you replace that.

I hate the CFAA, to be clear; it's just definitely still the law.