So I've gradually opened up about this as the risk has decreased, but I think it's time I can publicly share something that happened to me this year:

I was part of an investigation into a possible violation of the CFAA. Or, more accurately, I was being investigated as a suspect.

TL;DR: I ethically disclosed an security vulnerability - SQLi leading to account info, plaintext passwords. That same issue was, according to the investigators, abused by someone (possibly me, they thought).

@tweedge That is pretty crazy. I listen to securityNow podcast and they've covered an instance or two of this happening to people that disclosed vulnerabilities.

Glad to hear its died down and the Mr Robot men in suits aren't chasing you anymore lol but still that is wild. Esp. in a day and age where people get paid for responsible vulnerability disclosures.


@spaphy The whole system is still backwards, and a lot of people are playing with fire by participating before the legal grey areas are resolved.

It is a rewarding fire to play with though - even with a scare like this, I struggle to think of another field I'd enjoy as much. Just going to do my best to avoid scares like it in the future.

Sign in to participate in the conversation

Taking the "Twitter" out of "InfoSec Twitter."