Doesn't this posture also criminalize white-hat hackers, whose disclosures would protect you from the people who actually want to do damage?
Doesn't this posture also criminalize white-hat hackers, whose disclosures would protect you from the people who actually want to do damage?
> Doesn't this posture also criminalize white-hat hackers, whose disclosures would protect you from the people who actually want to do damage?
There is no law for "white-hat hackers". You don't get to break into a system because the color of your hat.
"White-hat hackers" have contracts, or very specific rules of engagement. Having run many a bug bounty, if someone was malicious, we would absolutely work to prosecute.
You can also find bugs in software freely, as long as you don't obtain unauthorized access to other people's systems.
This isn't true: there is, jurisdictionally dependent and I think also dependent on DOJ norms, a broad exception for good-faith white hat vulnerability research that would otherwise violate CFAA. Like I said, CFAA is very complicated in practice.
(I don't know enough about the CFAA to know whether this is true so I'll assume it is.)
To continue the garage door analogy, you wouldn't walk up to any random garage door and try code 12345 to help protect the owner's stuff, would you?
To stick with this analogy: I think a white hat equivalent would be more like driving down the street with a garage door remote set to a default code and then notifying anyone whose door opens in response that they should change their code. I don't think that should be illegal.