So I've gradually opened up about this as the risk has decreased, but I think it's time I can publicly share something that happened to me this year:

I was part of an investigation into a possible violation of the CFAA. Or, more accurately, I was being investigated as a suspect.

TL;DR: I ethically disclosed an security vulnerability - SQLi leading to account info, plaintext passwords. That same issue was, according to the investigators, abused by someone (possibly me, they thought).

I cannot convey to you how fantastically ready I am to be investigated for CFAA issues. I've disclosed many vulnerabilities privately, gone public with one, and even consult 1:1 with other researchers working on their first disclosures to help keep them safe & out of trouble.

I'm a cis white man in tech. I have a salaried job and a minor but positive reputation. I have enough savings to fight even a serious legal battle.

And I was still anxious for weeks while preparing to defend myself.

The serious reality of the situation is, even though I did *everything right*, something out of my control almost landed me a federal charge.

I cannot imagine disclosing the same issues if I had less protection for myself. Hacking - even ethical hacking - can have serious, life-ending ramifications.

I applaud the work of the DOJ to start reducing risk for us - I really do. But this scare (and the long history of cudgeling hackers) is a big part of why I remain wary for us all.


I'll probably write this up in another post sometime with more info, but just in case anyone else runs into the same situation, here's what to do:

* Shut the fuck up
* Contact the EFF legal desk
* If assistance is offered, TAKE IT
* If not, have your inquiry forwarded to the Cooperating Attorneys list
* Verify any lawyer that voices interest in your case can practice in your state & look for relevant case history
continues ...

* Contact the lawyer - first consult is usually free, but it's mostly so both parties know more about the situation
* CAREFULLY follow their plan going forward, but be warned that any ongoing assistance will almost 100% cost you

In my case, it didn't go further (hooray). If that happens - and you have the means - it seemed a nice gesture to ask to send someone their favorite food/drink or make a charity donation in their name.

Do you have insurances in the States to cover the cost of a lawyer?

@RyunoKi There are some options for legal insurance (I have one provided by my employer) though they're not amazing... In my case, I would contact them and would be assigned a lawyer - it's a system designed to handle small issues, for example paperwork when buying a house. I honestly just didn't trust my coverage for a specialized concern, so I didn't try to get assistance through them.

Sign in to participate in the conversation

Taking the "Twitter" out of "InfoSec Twitter."