Give me an example of a good-faith disclosure escalated to law enforcement? Some examples come to mind, but the ones I'm thinking of won't support your argument.
You are generally not going to be legally liable for things you do in ordinary security research, but you will sure as hell be liable if you do unauthorized serverside research. Apple bounty stories are invariably about clientside work with little to no legal risk.
