Comment by thrdbndndn
1 year ago
I'm not a legal expert, but is it necessary for an act to pose a threat to "national" security for it to be considered illegal in places like the United States?
In my country, we have a law known as "The Crime of Destroying Computer Information Systems." This law makes it a criminal offense to intentionally harm computer systems in a way that could compromise them (which is somewhat vague in its definition, I'd admit). This includes leaking private information from these systems, and it applies even if the affected systems belong to private entities. And if you sell exploits to a third party and are later caught, you will be considered an accomplice and there are precedents for this.
The United States has similar laws in place. There have even been cases where people were convicted for responsible disclosure, since they had to circumvent the system to determine that there was indeed an exploit. It's not as common as it used to be, but there are plenty of small financial firms that would still go after someone reporting an exploit.