[dchftcs]

I think a better analogy can be drawn by just considering the physical version of some things. For IoT, you can say if someone discovers a specific brand of physical lock can be broken in unexpected ways, they should be allowed to communicate this in a way that benefits the users of the lock without facing any legal risk. For internet banking, you can discuss a physical vault that safekeeps everyone's gold, and say that someone who notices a broken lock should not be punished for telling the vault manager to fix the lock. Unfortunately the common situation is that the lock company and the vault manager will sue because they don't want to admit they put their users and clients at risk - it sounds absurd, but that's what happens in the electronic world.

[EricMausler]

Well, in this analogy the problem starts with how the person is noticing the lock can be broken in unexpected ways

Everything you said after that is a valid continuation from that, but the scope of the issue I am talking to centers around that how.

Because locks have never actually been unbreakable, right? The main purpose of a lock, the generally accepted way that the lock keeps people out - is by existing, not by being strong.

We have higher standards for the lock in more serious applications, like a vault, but if you buy a vault door, put it in your garage, and begin testing it for vulnerabilities- I feel like it's reasonable to view that as criminal. I admit 100% that it could be a curious tinkerer, but I do not think it is unreasonable to tell the tinkerer that they can't do that without permission.

[ddingus]

What happens in that case is said tinkerer does it anyway.

And say they got that door by any of a number of legal means. Fact is they have it and could have a wide range of legal uses for said door too.

Is it better to drive that sort of thing underground?

I question that.