[awakened]

So should someone find a remote exploit in OpenWhatever that gives them remote root access and they publicly disclose that (without having tested it on the Internet... just in their lab) then they are not subject to the CFAA?

[m0nastic]

Correct.

The CFAA requires access without authorization or exceeding authorized access. Presumably you are an authorized user of your own systems.

It is possible that some vendors may try to use User Acceptance Licenses to further restrict what actions can be taken with their software (even in case where you've purchased it and installed it on your system).

I believe (and would love to be corrected by a lawyer), that even those cases would be civilly prosecuted, and still not related to the CFAA.

This is one of the reasons why when providing penetration testing/application testing training we always took great pains to drill into their heads to never use any of those techniques on systems you do not own. Not poking around on your bank's website, etc.

If you knowingly access a system that you do not have authorization for, the owner of the system might not care (or might not notice), but under the CFAA, they can file charges against you.

Reasonable people may disagree what constitutes "exceeding authorized access" (where reasonable people might be your attorney and a prosecutor).

[Fuxy]

I have no problem with punishing unauthorized access although the punishment is stupid severe.

I mean once you've been sentenced under the CFAA you might as well have a shootout with the police or kill some people it make no difference hell the extra charges won't make much a difference you're still facing life.

Does that make sense to anybody?

What they do require though is an exception for researchers and you can define researchers anybody who discloses the vulnerability to the owner of the vulnerable system before publishing it publicly. A security researcher is required to disclose publicly the results of his research in order to be considered a researcher.

A regular hacker cannot claim to be a security researcher since hackers never disclose the vulnerabilities they find to the owner of the system even if they do share them publicly with other hackers sometimes. It is not in their interest to let the owner of the vulnerable system know they have a problem.

[tptacek]

Correct. They are also probably (depending on circumstances) exempt from some provisions of the DMCA that might otherwise allow the research target to employ copyright law to stop them from conducting the research. US Federal Law has provisions that explicitly protect vulnerability research in some cases.