Immense contribution of our community to making Web a safer place is unquestionable. Being a non-profit project with the sole purpose to make Web a safer place, Open Bug Bounty is committed to comply with enacted laws and regulations. To double-check that our community follows this important commitment, we asked an acquaintance from a law firm to clarify certain aspects of security testing.
Only a court is eligible to decide if something is legal or not [within its jurisdiction], however the text below can help understand how law works in general and shape your research activities accordingly.
Disclaimer: this text is provided without any warranty and shall never be taken as an instigation to commit any acts or start any activities.
If you have any reliable information or cases to be added - please do so!There are numerous jurisdictions and a great variety of laws, statutes and acts aimed to punish computer crime. Laws of many countries and states may be contradictory, Common (e.g. USA) and Civil (e.g. continental EU) law systems also have substantial differences. Complicated procedural rules, supremacy of federal over state law and conflict of laws make the situation ever more confusing. Therefore, let's try to keep things simple:
1) Civil ("civil", do not confuse with "Civil" law system) lawsuits are primarily designed to compensate tangible (e.g. financial) damages, or to prevent them (e.g. via injunction). Therefore, any civil suit requires a proof of measurable damage caused by someone's [negligent or intentional] acts. Otherwise, it will likely be dismissed by the court.
1.1 People cannot be placed in jail, searched or arrested within the scope of a civil lawsuit (exceptions are out-of-lawsuit violations, such as perjury, obstruction of justice or contempt of court).
1.2 Very few companies will ever start civil litigation if provable damage is insignificant OR the tortfeasor (offender) does not have enough money to compensate the damage inflicted. Otherwise, even their own legal costs will never be covered.
2) Criminal charges are brought exclusively by the government with the main purpose to punish a socially-dangerous behavior. Anyone, who is a victim of a crime, can file a complaint (usually to police), but only the government (usually represented by a prosecutor) can bring criminal charges at the end.
2.1 Virtually any criminal law (statute or act) requires both (a) a malicious intent AND (b) a malicious act. For example, if you buy salt in a local shop and resell it to your friend, and then discover cocaine inside - intent is missing, and you will almost surely be acquitted (but if you sell it for the price of cocaine, no jury or judge will ever believe that you didn't have the intent and were unaware of the cocaine). Exception are so-called "strict liability" offenses where you don't need to act intentionally, knowingly, recklessly or with criminal negligence to be found guilty (currently we are not aware of any strict liability laws in cybercrime sphere).
2.2 To be found guilty, the government must prove "beyond a reasonable doubt" (this is the official standard) EVERY element of the offense specified in text of the statute (law). Presumption of innocence clearly says that one is considered innocent unless proven guilty. For example, if there is a law that criminalizes playing red ball in the city of NY, you can play blue or orange ball in the center of NY without fear, because a vital element of the offense (color) is missing here (except if there is another law prohibiting blue balls as well).
2.3 In some states laws are so blurred and can be construed so broadly that even penetration testing can be a serious crime. However, to avoid absurd results, government [almost] never prosecutes this. Criminal law is also influenced by public policy and politics. In some countries, criminal charges are not brought for the ultimate benefit of the society or economy of state funds. Some minor offenses may be factually decriminalized as law enforcement refuse to investigate them.
2.4 Always keep in mind, that only a court can decide that something violates an enacted [criminal] law and thus is illegal. Lawyers have no legal authority to make any adjudications, but can merely suggest that a specific act or activity may be in violation of a particular law(s). Moreover, almost in every country, you may appeal to at least two superior courts and possibly vacate the judgement of the inferior court.
3) In most countries, the wast majority of laws that criminalize hacking, require a malicious intent to cause damage to (a) integrity (e.g. deface or web shell upload), OR (b) availability (e.g. DoS) OR (c) confidentiality (e.g. extracting data via SQL injection) of any [computer] system [that does not belong to you OR that you are not duly authorized to use in such a manner].
3.1 Re frivolous claims "testing without consent is illegal". Always ask your opponent: (a) in jurisdiction of which particular state it is illegal, (b) which particular law, statute or act recognizes such activities illegal, (c) which particular section/paragraph of the law states that these activities are illegal. Finally ask for the previous cases when a court have already adjudicated this specific, or a less offensive, behavior to be a crime. Ask about definition of "testing" and "consent" specified by the law or accepted by the courts. Does a copy-paste of numerous phrases with double-quotes into a website search represent a "testing without consent" under this specific law?
3.2 Exploitation of SQL injection can be a criminal offense in almost every jurisdiction. /*This is why Open Bug Bounty never accept them*/. However, when hacking of hundreds of celebrities is punished by six months of prison in US, a single quote in your browser address line will quite unlikely trigger a prosecutor spending his/her limited resources to prosecute this.
3.3 Customized crawling of a public website for accidentally leaked confidential information (e.g. passwords) may be considered a crime in many jurisdictions as well. This is because you, and any reasonable person in your shoes, know or should have known that this information is strictly confidential, and therefore you knowingly violate the confidentiality by abusing the weakness (even if you don't make any money with it afterwards). On the other hand, if you open a suddenly defaced website and it contains 10 000 passwords on the main page in plaintext - you have not committed an offense (but be careful, if you will store them locally - you may be found guilty).
3.4 Careful and non-intrusive testing (i.e. that is not aimed to and cannot affect integrity, availability or confidentiality of the website or related computer systems such as databases) of a public website with the sole pro bono intent to help fix the vulnerability is very unlikely to be found illegal in the majority of jurisdictions. However, running general-purpose security tools (e.g. scanners that test for all types of vulnerabilities, including intrusive testing) against the systems, or extorting monetary remuneration for the discovered flaws, can likely be in violation of enacted laws in many jurisdictions.
4) Misleading claims about illegality of certain acts or activities can be indictable in many jurisdictions, especially if a third party that makes such claims has an interest to intimidate and unfairly preclude you from certain, otherwise lawful, activities. When someone, except law enforcement or judicial authorities, tries to intimidate you with allegations of illegality, you can politely remind them that their behavior can be against the law.
5) Instead of a conclusion, remember that law is a very complicated subject and even supreme courts change their verdicts from time to time. A minor factual difference in two very similar cases can dramatically change the outcome of judgement. Therefore, it's almost impossible to give one-size-fits-all advice for any activities, from driving or cooking to information security. However, almost always, you can rely on a common sense: if what you do is done with a good faith and does not harm or put at risk individuals or society - you have a very low chances to be found guilty.
) but, they were super appreciative and glad it was me letting them know about the vulnerability rather than discovering it being exploited while looking at their server logs.
