In the process of using a town's court website to try to pay a parking ticket, I practically-accidentally found a security vulnerability in it. The vulnerability immediately showed me many people's personal information. I closed the page when I realized what had happened. I didn't report the issue because I was worried that the people running a small town's buggy court website might be more interested in figuring out what laws I broke than understanding the issue. I'd rather have nothing to do with it. It's the only time I haven't reported a security vulnerability I've found. I'm probably over-thinking it, but when there's other groups that invite vulnerability reports and even give bug bounties, it just feels like an unnecessary risk reaching out to ones that don't.
35 years of jail time has a powerful chilling effect.
How this article could talk about the 'surprising' lack of ethical hackers without covering this law and it's abuse is beyond me.
It's like talking about the 'surprising lack of research into clinical MDMA studies' and not talk about the war on drugs. It's like they are intentionally ignoring the HUGE elephant in the room.
But when CFAA makes all hacking criminal, the only hackers left are criminals.
Ethically motivated hackers should have the same protections as whistle blowers - The day that happens, the world becomes more safe and transparent.
But transparency is not what everyone wants, obviously.
I wish I was more surprised that mainstream media fails to mention this important part of the state of cyber security in the US.