So I've gradually opened up about this as the risk has decreased, but I think it's time I can publicly share something that happened to me this year:
I was part of an investigation into a possible violation of the CFAA. Or, more accurately, I was being investigated as a suspect.
TL;DR: I ethically disclosed an security vulnerability - SQLi leading to account info, plaintext passwords. That same issue was, according to the investigators, abused by someone (possibly me, they thought).
@jerry I'm hopeful here but cautious. In this specific case, there's no doubt I would be unprotected - someone did something unethical, and the DOJ will find out who.
In the other cases I've handled - private, public, or advisory - I would almost certainly be guaranteed protection from DOJ prosecution now (though I remain unprotected from other litigation ex. state-level laws). That said, for any protection at all to be offered is big step and worth acknowledging.
The whole posture around information security is just generally upside-down, I feel.
Media focuses on blaming scary for cases of gross incompetence on device vendors' part; LEA is hell-bent on prosecuting security researchers for disclosures; and three-letter agencies weaponize vulnerabilities and then lose cabin pressure, leading to WannaCries and NotPetyas.
Taking the "Twitter" out of "InfoSec Twitter."