Comment by SkyBelow

>which puts the liability on the person that does the unauthorized access

Which is almost always the person finding the bug. Most services include language that limit your ability to find vulnerabilities in their systems as part of being allowed to access their service. If you find the vulnerability without ever accessing the service you might have an out, but that also means you have to sell the exploit with less ability to convince the buyer that it is something significant.