Did you download 10 gigabytes of personal data and sell it? Or did you responsibly report the vulnerability once it was apparent? There would have to be some guidelines and some attacks like DDoS might still be illegal, etc.
Certainly a risk of this proposal is that some black-hats would get away, but that is already happening, so it's not really a problem of this proposal. This law wont affect black-hats because they already operate outside the law.
The problem is nobody can investigate the security of a company without facing major legal risks. As I linked above, a researcher pressed F12 and next thing he knew the Governor was threatening to prosecute him, and that's just one example. I believe it is a felony if I want to investigate for myself how secure T-Mobile's systems are, because they have not explicitly invited me to do so.
About 10 years ago I was doing some web scraping and came across a website that was exposing PPI (SSNs and more) of thousands of people. It was in an API JSON response, the JavaScript only displayed part of the data though. I just closed the site and never touched it again. I'm not a security researcher, I don't know how to safely report what I saw. It all seems personally risky for little personal gain. So I closed the site and let it go. My attitude has long been that if society wants to offer me some strong legal protections then I'll do the right thing, otherwise, society can burn. Half the nation's personal data can get stolen twice a month, as is already the case. When society cares enough to do something about it maybe I'll change my attitude.
Certainly a risk of this proposal is that some black-hats would get away, but that is already happening, so it's not really a problem of this proposal. This law wont affect black-hats because they already operate outside the law.
The problem is nobody can investigate the security of a company without facing major legal risks. As I linked above, a researcher pressed F12 and next thing he knew the Governor was threatening to prosecute him, and that's just one example. I believe it is a felony if I want to investigate for myself how secure T-Mobile's systems are, because they have not explicitly invited me to do so.
About 10 years ago I was doing some web scraping and came across a website that was exposing PPI (SSNs and more) of thousands of people. It was in an API JSON response, the JavaScript only displayed part of the data though. I just closed the site and never touched it again. I'm not a security researcher, I don't know how to safely report what I saw. It all seems personally risky for little personal gain. So I closed the site and let it go. My attitude has long been that if society wants to offer me some strong legal protections then I'll do the right thing, otherwise, society can burn. Half the nation's personal data can get stolen twice a month, as is already the case. When society cares enough to do something about it maybe I'll change my attitude.