So I've gradually opened up about this as the risk has decreased, but I think it's time I can publicly share something that happened to me this year:

I was part of an investigation into a possible violation of the CFAA. Or, more accurately, I was being investigated as a suspect.

TL;DR: I ethically disclosed an security vulnerability - SQLi leading to account info, plaintext passwords. That same issue was, according to the investigators, abused by someone (possibly me, they thought).

@tweedge yikes. Hopefully recent announcements by the DOJ will temper their enthusiasm to prosecute/investigate bug hunters


@jerry I'm hopeful here but cautious. In this specific case, there's no doubt I would be unprotected - someone did something unethical, and the DOJ will find out who.

In the other cases I've handled - private, public, or advisory - I would almost certainly be guaranteed protection from DOJ prosecution now (though I remain unprotected from other litigation ex. state-level laws). That said, for any protection at all to be offered is big step and worth acknowledging.

@tweedge @jerry :oof:

The whole posture around information security is just generally upside-down, I feel.

Media focuses on blaming scary :hacker_h: :hacker_a: :hacker_c: :hacker_k: :hacker_e: :hacker_r: :hacker_s: for cases of gross incompetence on device vendors' part; LEA is hell-bent on prosecuting security researchers for disclosures; and three-letter agencies weaponize vulnerabilities and then lose cabin pressure, leading to WannaCries and NotPetyas.

Heavy sigh.

@jerry @rysiek @tweedge let's meet at the Full Moon in the forest to dance and heal, my sisters!

Sign in to participate in the conversation

Taking the "Twitter" out of "InfoSec Twitter."