So I've gradually opened up about this as the risk has decreased, but I think it's time I can publicly share something that happened to me this year:
I was part of an investigation into a possible violation of the CFAA. Or, more accurately, I was being investigated as a suspect.
TL;DR: I ethically disclosed an security vulnerability - SQLi leading to account info, plaintext passwords. That same issue was, according to the investigators, abused by someone (possibly me, they thought).
I cannot convey to you how fantastically ready I am to be investigated for CFAA issues. I've disclosed many vulnerabilities privately, gone public with one, and even consult 1:1 with other researchers working on their first disclosures to help keep them safe & out of trouble.
I'm a cis white man in tech. I have a salaried job and a minor but positive reputation. I have enough savings to fight even a serious legal battle.
And I was still anxious for weeks while preparing to defend myself.
I'll probably write this up in another post sometime with more info, but just in case anyone else runs into the same situation, here's what to do:
* Shut the fuck up
* Contact the EFF legal desk https://www.eff.org/pages/legal-assistance
* If assistance is offered, TAKE IT
* If not, have your inquiry forwarded to the Cooperating Attorneys list
* Verify any lawyer that voices interest in your case can practice in your state & look for relevant case history
* Contact the lawyer - first consult is usually free, but it's mostly so both parties know more about the situation
* CAREFULLY follow their plan going forward, but be warned that any ongoing assistance will almost 100% cost you
In my case, it didn't go further (hooray). If that happens - and you have the means - it seemed a nice gesture to ask to send someone their favorite food/drink or make a charity donation in their name.
@RyunoKi There are some options for legal insurance (I have one provided by my employer) though they're not amazing... In my case, I would contact them and would be assigned a lawyer - it's a system designed to handle small issues, for example paperwork when buying a house. I honestly just didn't trust my coverage for a specialized concern, so I didn't try to get assistance through them.
Taking the "Twitter" out of "InfoSec Twitter."