So I've gradually opened up about this as the risk has decreased, but I think it's time I can publicly share something that happened to me this year:
I was part of an investigation into a possible violation of the CFAA. Or, more accurately, I was being investigated as a suspect.
TL;DR: I ethically disclosed an security vulnerability - SQLi leading to account info, plaintext passwords. That same issue was, according to the investigators, abused by someone (possibly me, they thought).
@tweedge yikes. Hopefully recent announcements by the DOJ will temper their enthusiasm to prosecute/investigate bug hunters
@jerry I'm hopeful here but cautious. In this specific case, there's no doubt I would be unprotected - someone did something unethical, and the DOJ will find out who.
In the other cases I've handled - private, public, or advisory - I would almost certainly be guaranteed protection from DOJ prosecution now (though I remain unprotected from other litigation ex. state-level laws). That said, for any protection at all to be offered is big step and worth acknowledging.
A Mastodon instance for info/cyber security-minded people.