A post from Krebs on security on 3 June posed this question in the light of the US DoJ having recently revised its policy on charging violations of the Computer Fraud and Abuse Act. The new guidelines state that prosecutors should avoid charging security researchers who operate in “good faith” when finding and reporting vulnerabilities.
Any modest contributions for my time and ongoing expenses are welcomed! I have a page where you can do so, and where one-off contributions start as low as $3, at
NOTE THAT THE ABOVE LINK IS NOW CORRECTED AND WORKS!