1. Jane, a security researcher, discovers a vulnerability in a Acme Corporation's public-internet-facing website in a legal manner
2. Jane is a US resident and citizen
3. Acme Corporation is a US company
... is it legal for Jane to post publicly about the vulnerability with a proof of concept exploit?
Relatedly:
Why do security researchers privately inform companies of vulnerabilities and wait for them to patch before public disclosure? Are they afraid of liability?
> Why do security researchers privately inform companies of vulnerabilities and wait for them to patch before public disclosure?
Because if they don’t inform the company and wait for the fix, their disclosure would make it easier for less ethical hackers to abuse the vulnerability and do real material harm to the company’s users/customers/employees. And no company would ever want to collaborate with someone who thinks it’s ok to do that.
It’s not even really a matter of liability IMO, it’s just the right thing to do.
(main exception: if the company refuses to fix the issue or completely ignores it, sometimes researchers will disclose it after a certain period of time because at that point it’s in the public’s best interest to put pressure on the company to fix it even if it becomes easier for it to be exploited)
IANAL, but to answer your question, maybe? The CFAA has a fairly broad scope. "intentionally accesses a computer without authorization or exceeds authorized access and thereby obtains, information from any protected computer; " 1030(a)(2)(C)
Sandvig v. Barr tempers that a bit, with the DoJ now offering some guidance around good faith endeavors around security research.
I'd suggest Jane have a good lawyer on retainer, and a few years to spend in the tied up the legal system.
> Why do security researchers privately inform companies of vulnerabilities and wait for them to patch before public disclosure? Are they afraid of liability?
You don't publish because you don't want to cause harm and you don't want to be liable for it.
You need to realize that vulnerabilities don't exist in a vacuum. They grant access to computer systems that control the life of people (millions of people) including their personal information, passwords, passport photos, card numbers, jobs, paychecks, transportation, food, etc... which is very likely to cover yourself, your mom, your family, your friends as you deal with larger companies.
When you publish a vulnerability, it will immediately be used by bad actors that intend to cause harm to all these people, including employees and customers.
Yes. The underlying problem is that knowing about the vulnerability is not an issue. Getting to the point you know about and are sure it’s a vulnerability almost certainly will implicate whoever discovered it in a CFAA crime (and those punishments are ridiculously severe for what counts as committing them in most cases).
Most of these things are best done across non-cooperative international borders, just to reduce the incentive for ‘throw them in jail’ as a easy ass covering measure.
1. Jane, a security researcher, discovers a vulnerability in a Acme Corporation's public-internet-facing website in a legal manner
2. Jane is a US resident and citizen
3. Acme Corporation is a US company
... is it legal for Jane to post publicly about the vulnerability with a proof of concept exploit?
Relatedly:
Why do security researchers privately inform companies of vulnerabilities and wait for them to patch before public disclosure? Are they afraid of liability?