So I've gradually opened up about this as the risk has decreased, but I think it's time I can publicly share something that happened to me this year:
I was part of an investigation into a possible violation of the CFAA. Or, more accurately, I was being investigated as a suspect.
TL;DR: I ethically disclosed an security vulnerability - SQLi leading to account info, plaintext passwords. That same issue was, according to the investigators, abused by someone (possibly me, they thought).
I cannot convey to you how fantastically ready I am to be investigated for CFAA issues. I've disclosed many vulnerabilities privately, gone public with one, and even consult 1:1 with other researchers working on their first disclosures to help keep them safe & out of trouble.
I'm a cis white man in tech. I have a salaried job and a minor but positive reputation. I have enough savings to fight even a serious legal battle.
And I was still anxious for weeks while preparing to defend myself.
The serious reality of the situation is, even though I did *everything right*, something out of my control almost landed me a federal charge.
I cannot imagine disclosing the same issues if I had less protection for myself. Hacking - even ethical hacking - can have serious, life-ending ramifications.
I applaud the work of the DOJ to start reducing risk for us - I really do. But this scare (and the long history of cudgeling hackers) is a big part of why I remain wary for us all.
* Contact the lawyer - first consult is usually free, but it's mostly so both parties know more about the situation
* CAREFULLY follow their plan going forward, but be warned that any ongoing assistance will almost 100% cost you
In my case, it didn't go further (hooray). If that happens - and you have the means - it seemed a nice gesture to ask to send someone their favorite food/drink or make a charity donation in their name.
@RyunoKi There are some options for legal insurance (I have one provided by my employer) though they're not amazing... In my case, I would contact them and would be assigned a lawyer - it's a system designed to handle small issues, for example paperwork when buying a house. I honestly just didn't trust my coverage for a specialized concern, so I didn't try to get assistance through them.
Taking the "Twitter" out of "InfoSec Twitter."