(It's very easy to believe the worst possible thing about every corner of our government, since every corner of our government has something bad about it. But it's a fundamental error to think that every bad thing is always present in every interaction.)
The DoJ announced in 2022 that they would not prosecute "good faith" security researchers, but it's not binding, just internal policy: https://www.scmagazine.com/analysis/doj-wont-prosecute-good-...
The policy (https://www.justice.gov/jm/jm-9-48000-computer-fraud) explicitly states at the end that it's for guidance only / does not establish rights, and it includes a provision for additional consultation on cases involving terrorism or national security–terms which have both been overloaded by the government to justify overreach in the past.
Personally, given the history of the CFAA, I wouldn't want to be in a position to test out this relaxed guidance on prosecuting good-faith researchers, but perhaps I'm unnecessarily averse to the idea of federal prison.
I don't think any sort of absolute assurance is possible, and if it was given I wouldn't trust it to be permanently binding :-)
This is my intuition from having interacted with CISA, and my impression from talking to policy people: it's not 1993 (or even 2013) anymore, and there's a much better basal understanding of security researchers vs. someone trying to secure a "get out of jail free" card for doing something they shouldn't have. That doesn't mean the government can't mess up here, but I can't remember a prominent example of them throwing the book at a good faith report like this in the past decade.
(Swartz is who I think of as an example of an extreme miscarriage of justice under an overly broad interpretation of the CFAA. And, of course, there could be facts in this situation that I'm not aware of that would motivate a criminal or civil CFAA investigation here. But "pre-dawn raids" aren't really it in situations like this one.)
The FBI did raid this guy in 2016 after what was seemingly an attempt at responsible disclosure of leaked medical records: https://arstechnica.com/information-technology/2016/05/armed...
And this journalist last year, though the facts of this story are less clear and obviously not responsible-disclosure related: https://www.cjr.org/the_media_today/tim-burke-florida-journa...
---
Here is the next YC: An app that uses AI to navigate all the Civil Injections and allow the easist way to contact, petition, complain, praise, poll, explain a law, measure etc ELI5.
Get OpenAI and/or Amazon (Given they run DataCenter Infra for CoIntelPro) - since they have/seek government contracts - and have Massive AI - make them create a USA-GPT.gov and its the most informed bot that will connect you to, explain, write-your-[representative/lobbiest/committee], and these companies have to provide these govGPTs in order to maintain any federal/defense contracts.
