Hacker Tradecraft Volume 19 — The Legal Line and Ethics — Hacker Tradecraft · Hacking

The Computer Fraud and Abuse Act at depth, Van Buren and the post-2021 narrowing, international equivalents, authorization in practice — SOW / scope / ROE / get-out-of-jail letter — disclosure ethics and the four-path decision tree, the RF and spectrum-law overlay, and the ethical frameworks that sit beneath the legal minimum

Section	Topic
1	About this volume
2	CFAA in depth
3	International equivalents
4	Authorization in practice
5	Disclosure ethics
6	RF-specific law
7	Ethical frameworks
8	Cross-reference index
9	Resources

1. About this volume

Vol 19 is the legal-and-ethical anchor for the entire series. Every hat volume (Vols 6–12) carries a §1 legal-line callout that points here for depth; every reference-cluster volume (Vols 13–17) carries a §7 legal-and-regulatory section that summarizes the relevant material and points here for the full statutory walkthrough; the synthesis volumes that follow (Vol 18 Careers, Vol 20 Cheatsheet, Vol 21 Glossary) all reference this volume’s frozen anchors. Of the 21 volumes in the series, this is the most-cross-referenced single document — its H2 anchors are load-bearing for inbound links from every other volume.

The reader (tjscientist — 45+-year EE/SW engineer, peer-level) is treated here as a security practitioner thinking through the legal envelope around their own work, not as a lawyer or law student. The framing is engineer-grade. Statutory text is quoted where it does load-bearing work, summarized where the text adds noise, and translated where a term-of-art (“protected computer,” “exceeds authorized access,” “without right”) will mislead an engineer reading it with software-engineering intuitions. Case law is treated factually — what the court actually held, what it did not hold, where lower courts have applied or distinguished it. Where commentary is contested, the contest is flagged rather than resolved.

The lens applied to the material in this volume is what a competent practitioner needs to know to operate legally, not what the statute should be or how an academic-legal critique would read. The reform debates (the U.S. push to amend the CFAA after the Aaron Swartz prosecution; the UK CyberUp Campaign’s multi-year effort to add a statutory defense to the Computer Misuse Act; the German Hackerparagraph controversy) appear here as context for the current operating envelope, not as advocacy. The reader operating in 2026 operates under the statutes as they are.

The other framing the reader should carry forward: the law is the floor, not the ceiling. A practitioner whose conduct is legally clean can still operate unethically — testing systems whose owners did not knowingly authorize the test, retaining access beyond engagement close, releasing exploit detail that the public-interest balance did not call for. The ethical-frameworks section (§7) treats the layer of practice that sits above the legal minimum. Both layers do work; neither layer obviates the other.

Engineer-grade framing, not legal advice — load-bearing callout. This volume is a practitioner reference for the legal-and-ethical operating envelope around modern security work. It is not legal advice. Statutes change; case law accumulates; prosecutorial discretion varies by jurisdiction and by year; civil-liability exposure follows different rules than criminal exposure. The reader facing a specific concrete situation — a contemplated engagement, a vulnerability they’ve discovered, a vendor’s hostile response to a disclosure, a question about whether a particular RF operation is permitted — should consult a licensed attorney in the relevant jurisdiction. The Electronic Frontier Foundation’s Coders’ Rights Project¹ and the equivalent organizations in other jurisdictions (the UK’s Open Rights Group; the Chaos Computer Club’s German legal-aid network) are the canonical starting points when a practitioner needs counsel and does not yet have a relationship with one. The frameworks in this volume are accurate to early 2026 and reflect the published-research consensus among practitioners and the practitioner-legal-defense bar; nothing in them substitutes for case-specific advice.

A note on the volume’s structure. The H2 headings are FROZEN — they were chosen specifically because every other volume in the series links into them, and renaming any of them silently breaks the inbound links the auto-generated anchor convention produces. New material added in subsequent revisions is added under existing headings or under new headings appended at the end; existing headings are never renamed.

The United States Supreme Court. The court whose 2021 Van Buren decision narrowed the CFAA's "exceeds authorized access" prong is the single most consequential 2020s judicial intervention in the op… — The United States Supreme Court. The court whose 2021 *Van Buren* decision narrowed the CFAA's "exceeds authorized access" prong is the single most consequential 2020s judicial intervention in the operating envelope for U.S. security practitioners. The *Van Buren* holding is treated at depth in §2. Photo: File:US Supreme Court.JPG by Photo by Mr. Kjetil Ree.. License: CC BY-SA 3.0 (https://creativecommons.org/licenses/by-sa/3.0). Via Wikimedia Commons (https://commons.wikimedia.org/wiki/File%3AUS%20Supreme%20Court.JPG).

Figure 19.1 — The United States Supreme Court. The Van Buren v. United States decision (2021) narrowed the CFAA’s “exceeds authorized access” prong substantially; the case is treated at depth in §2.3. File:US Supreme Court.JPG by Photo by Mr. Kjetil Ree.. License: CC BY-SA 3.0 (https://creativecommons.org/licenses/by-sa/3.0). Via Wikimedia Commons (https://commons.wikimedia.org/wiki/File%3AUS%20Supreme%20Court%20JPG).

2. CFAA in depth

The Computer Fraud and Abuse Act, codified at 18 U.S.C. § 1030, is the operative U.S. federal statute for unauthorized computer access. Its 1986 enactment history (Pub. L. 99-474) and the 1984 predecessor (the Counterfeit Access Device and Computer Fraud and Abuse Act, Pub. L. 98-473) were treated at depth in Vol 3 §4; this section walks the statute as it stands in 2026 — its operative subsections, the “protected computer” reach, the “without authorization / exceeds authorized access” framing as narrowed by Van Buren, the mens rea requirements, the penalty structure, and the canonical stacked-charges geometry that the Aaron Swartz prosecution made visible to a broader audience.

2.1 Statutory structure — the seven prohibitions

The CFAA’s operative section, § 1030(a), enumerates seven categories of prohibited conduct. The structure has been substantially stable since the 2008 amendments; minor amendments since (most recently in the 2015 USA FREEDOM Act adjustments) have not changed the operative subsections. The 2026-current structure²:

Subsection	Prohibited conduct	Mens rea	Notes
§ 1030(a)(1)	Knowingly accessing a computer without authorization (or exceeding authorized access) and obtaining national-security information; willfully communicating, retaining, or refusing to deliver it	”Knowingly” + “willfully”	The espionage subsection. Rarely charged standalone; often paired with the Espionage Act (18 U.S.C. § 793 et seq.). The Snowden indictment carries an § 1030(a)(1) count alongside Espionage Act counts
§ 1030(a)(2)	Intentionally accessing a computer without authorization (or exceeding authorized access), and obtaining (A) financial-record information from a financial institution / card issuer; (B) information from any U.S. department or agency; or (C) information from any protected computer	”Intentionally”	The workhorse subsection. (C) reaches essentially any internet-connected computer. The “information” element is broad — viewing on-screen output suffices; no exfiltration required³
§ 1030(a)(3)	Intentionally accessing without authorization any nonpublic computer of a U.S. department or agency	”Intentionally”	Government-system trespass. Charged in cases where the accessed information was not classified enough to trigger (a)(1)
§ 1030(a)(4)	Knowingly and with intent to defraud, accessing a protected computer without authorization (or exceeding), and by such conduct furthering the intended fraud and obtaining anything of value (subject to a value threshold)	“Knowingly” + intent to defraud	The fraud-by-computer subsection. Heavy overlap with the wire-fraud statute (18 U.S.C. § 1343); typically charged together
§ 1030(a)(5)(A)	Knowingly causing the transmission of a program, information, code, or command, and as a result intentionally causing damage without authorization to a protected computer	”Knowingly” (transmission) + “intentionally” (damage)	The malware / DoS / sabotage subsection. Morris was charged under the predecessor of this provision (Vol 3 §5.4); modern ransomware operators are charged under this subsection when the U.S. has jurisdiction
§ 1030(a)(5)(B)	Intentionally accessing a protected computer without authorization, and as a result recklessly causing damage	”Intentionally” (access) + “recklessly” (damage)	The “I didn’t mean to break it, but I knew the risk” subsection. Lower mens rea on damage than (a)(5)(A)
§ 1030(a)(5)(C)	Intentionally accessing a protected computer without authorization, and as a result causing damage and loss	”Intentionally” (access) — no mens rea on damage	The strict-liability damage subsection. The lowest mens rea bar on damage in the statute
§ 1030(a)(6)	Knowingly and with intent to defraud, trafficking in any password or similar information through which a computer may be accessed without authorization, where (A) the trafficking affects interstate or foreign commerce, or (B) the computer is used by/for the U.S. government	”Knowingly” + intent to defraud	The credential-trafficking subsection. Reaches initial-access-broker selling of credentials; modern dark-market credential sales are charged here, often paired with (a)(2) and wire fraud
§ 1030(a)(7)	With intent to extort money or any thing of value, transmitting in interstate or foreign commerce a communication containing (A) a threat to damage a protected computer; (B) a threat to obtain information from / impair confidentiality of information on a protected computer; or (C) a demand for money in relation to damage caused, where the damage was caused to facilitate the extortion	”Intent to extort”	The computer-extortion subsection. Modern ransomware-extortion charges live here, usually paired with the Hobbs Act (18 U.S.C. § 1951) and wire fraud

Table 19.1 — The CFAA’s operative subsections as of 2026. Penalty levels (treated in §2.4) vary substantially by subsection, by aggravating factor, and by repeat-offender status; the table here is the conduct-and-mens-rea map. The historical-context treatment of the 1986 enactment is at Vol 3 §4; this section reads the statute as a working practitioner reference.

The structural observation worth carrying forward: the CFAA criminalizes conduct (access, transmission, trafficking, threats), not technique (no subsection references buffer overflows, SQL injection, password cracking, or any other specific method). This makes the statute technology-neutral — it applies just as cleanly to a 2026 cloud-API-key-abuse case as it did to the 1986-era dial-up VAX trespass it was drafted for. The trade-off, which has driven three decades of litigation, is that the load-bearing terms (without authorization, exceeds authorized access, protected computer, damage, loss) are not technically defined and have moved over time under judicial interpretation.

2.2 The “protected computer” reach

The CFAA’s jurisdictional hook is the “protected computer” definition at § 1030(e)(2). A protected computer is, in the 2026-operative reading:

A computer exclusively for the use of a financial institution or the U.S. government, OR a computer used by or for such an institution where the conduct affects that use (subsection (e)(2)(A)); OR
A computer which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication (subsection (e)(2)(B)).

The (e)(2)(B) clause is the consequential one. Read in the era of universal internet connectivity, “used in or affecting interstate commerce or communication” reaches essentially every internet-connected computer on Earth as long as some U.S. nexus can be argued. The Supreme Court has not narrowed this reach; lower courts have consistently read it broadly. The practical operating assumption for 2026 practitioners is: any internet-connected computer is a “protected computer” under the CFAA. The (e)(2)(A) federal-government clause adds extraterritorial reach for U.S.-government systems specifically.

The extraterritorial reach matters for non-U.S.-resident researchers as well as for U.S.-resident researchers targeting non-U.S. infrastructure. A researcher in Berlin accessing a U.S.-located cloud-hosted system is operating against a protected computer; the U.S. statute can reach the conduct if the researcher enters U.S. territory at any point afterward (the Auernheimer prosecution discussed in Vol 8 §7.4 was a U.S. resident; the more cautionary cases involve foreign nationals — e.g. the Marcus Hutchins prosecution discussed in Vol 6 §7, arrested at Las Vegas / DEF CON in 2017 on charges predating his WannaCry-killswitch work). The interaction with international extradition treaties (treated in §3 below) is the larger geometry; the per-statute jurisdictional reach is the local-rule starting point.

2.3 Van Buren v. United States (2021) — the narrowing

The most consequential CFAA judicial intervention of the 2020s is Van Buren v. United States, 593 U.S. 374 (2021), No. 19-783; 141 S. Ct. 1648⁴. The 6–3 decision (Barrett, J., joined by Breyer, Sotomayor, Kagan, Gorsuch, Kavanaugh; Thomas, J., dissenting, joined by Roberts and Alito) substantially narrowed the “exceeds authorized access” prong of § 1030(a)(2), resolving a long-running circuit split that had divided practitioners and prosecutors for two decades.

The facts. Nathan Van Buren was a Cumming, Georgia police sergeant. In 2015, an FBI sting operation arranged for an associate of Van Buren’s (Andrew Albo, a man with whom Van Buren had a transactional relationship) to ask Van Buren — for cash — to look up a license plate on the Georgia Crime Information Center (GCIC) database. Van Buren was authorized to access GCIC as part of his job; the database policy prohibited use of the system for any purpose other than law-enforcement business. Van Buren ran the requested license-plate lookup in exchange for $5,000. He was charged with honest-services wire fraud and with violating § 1030(a)(2) under the “exceeds authorized access” prong — the prosecution’s theory being that Van Buren’s authorization extended only to law-enforcement-purpose lookups, and his cash-motivated lookup exceeded that purpose-bounded authorization.

The holding. The Court rejected the purpose-based reading. Justice Barrett’s majority opinion held that “exceeds authorized access” reaches only conduct where the defendant accesses information located in particular areas of the computer — such as files, folders, or databases — that are off-limits to him. An individual with valid credentials who accesses information they are entitled to access does not “exceed authorized access” merely by accessing it for an improper purpose. The Court characterized this as a “gates-up-or-down” distinction: either the user has access to the data at all (gates up — using it for any purpose is not CFAA conduct) or they do not (gates down — accessing it is CFAA conduct). The purpose-based intermediate category that the lower courts in some circuits had recognized — gates up for some purposes, down for others — was rejected.

The narrowing effect. Van Buren substantially constrained the most expansive prior reading of “exceeds authorized access.” Under the pre-Van Buren broad reading (adopted by the First, Fifth, Seventh, and Eleventh Circuits before the decision; rejected by the Second, Fourth, and Ninth), virtually any employee policy violation that involved a computer could be charged as a CFAA crime — from running a personal errand on a work laptop, to scraping a website in violation of its terms of service, to accessing customer records for a non-job-related purpose. The decision eliminated this expansive reach for the “exceeds authorized access” prong. Several categories of conduct that had been actively contested in litigation are now substantially safer:

Employee policy violations that involve accessing data the employee is entitled to access for some purposes (Van Buren’s exact fact pattern) are no longer CFAA “exceeds authorized access” violations. The remedy is employment-law, not federal-criminal-law.
Web scraping in violation of terms of service of publicly-accessible data is, post-Van Buren, on much firmer ground for the researcher. The Ninth Circuit’s hiQ Labs v. LinkedIn decision (2019, reaffirmed 2022 in light of Van Buren) confirmed that scraping publicly-accessible LinkedIn profiles does not violate the CFAA⁵. The Court did not decide hiQ directly but its analysis carried the same logic.
Academic-research scraping of publicly-accessible data (the kind of work that arguably brought the Aaron Swartz prosecution into being) is, post-Van Buren, on substantially safer ground. The Swartz facts themselves remain contested — Swartz used a closet-access entry point and an unauthenticated download volume — but the purpose-based CFAA reading that the Swartz prosecution rested on is now substantially weaker.

What Van Buren did NOT narrow. Critically for the practitioner reading, Van Buren narrowed only the “exceeds authorized access” prong. The “without authorization” prong — the other half of § 1030(a)(2) and several other subsections — remains substantially untouched. The classic unauthorized-access fact pattern (no valid credentials; exploitation of a vulnerability to gain initial access; password guessing against a system the actor has no relationship with) remains fully chargeable under the unchanged prong. The decision does not provide a “good-faith research” defense; it does not narrow the “protected computer” definition; it does not address the stacked-charges geometry; it does not address civil liability under § 1030(g). Practitioners reading Van Buren as a broader liberalization than it is have over-read the decision.

The post-Van Buren landscape. The DOJ’s May 19, 2022 CFAA charging policy update (treated at depth in §4.6 below) was the executive-branch response — the policy directs federal prosecutors not to charge “good-faith security research” as a CFAA violation, formalizing prosecutorial discretion that informally existed before. Subsequent lower-court decisions applying the Van Buren framework have generally tracked the gates-up-or-down framing⁶; the academic-research-and-bug-bounty community has, in 2026, substantially settled into the post-Van Buren working envelope as a meaningfully-better operating posture than the pre-2021 environment, while continuing to operate inside the surviving “without authorization” framework with appropriate care.

2.4 Penalty structure

CFAA penalties scale by subsection, by mens rea, by aggravating factor, and by repeat-offender status. The 2026-operative penalty structure⁷:

§ 1030(a)(1) — espionage: up to 10 years imprisonment for the first offense; up to 20 years for a second or subsequent offense.
§ 1030(a)(2) — unauthorized access + obtain information: misdemeanor (up to 1 year) for the baseline offense; felony (up to 5 years) if the offense was committed for commercial advantage or private financial gain, in furtherance of any criminal or tortious act, or where the value of the information obtained exceeds $5,000; up to 10 years for a second or subsequent offense.
§ 1030(a)(3) — government-system trespass: misdemeanor (up to 1 year) baseline; up to 10 years for a second offense.
§ 1030(a)(4) — fraud by computer: up to 5 years for the first offense; up to 10 years for a second or subsequent offense.
§ 1030(a)(5)(A) — intentional damage transmission: up to 10 years for the first offense; up to 20 years for a second offense; up to life imprisonment if the offender knowingly or recklessly causes or attempts to cause serious bodily injury or death.
§ 1030(a)(5)(B), (C) — recklessness / strict-liability damage: up to 5 years (B) or 1 year (C) baseline; enhanced for repeat offenders and for damage thresholds.
§ 1030(a)(6) — credential trafficking: up to 1 year baseline; up to 10 years for a second offense.
§ 1030(a)(7) — extortion: up to 5 years for the first offense; up to 10 years for a second or subsequent offense.

Federal sentencing operates under the U.S. Sentencing Guidelines, which produce advisory ranges from a complex calculation of offense-level, criminal-history, and adjustments. Most CFAA-charged defendants do not receive the statutory maximums; pre-trial plea agreements drive most outcomes toward sentences substantially below the theoretical maximums. The Morris sentence of three years’ probation + community service (Vol 3 §5.4) is illustrative of the early-CFAA era; modern sentences have typically been longer for substantively similar conduct, reflecting both increased loss valuations and changed prosecutorial posture.

The theoretical-maximum-aggregate problem is treated in §2.6 below. The point worth flagging here: a single course of conduct can produce charges under multiple subsections (an unauthorized-access incident that involves both information acquisition and damage triggers (a)(2) and (a)(5); a credential-stuffing operation triggers (a)(2) and (a)(6); a ransomware operation triggers (a)(2), (a)(5)(A), and (a)(7)), and the per-charge maximums stack. The headline “300-year sentence threat” numbers that recur in CFAA-prosecution press coverage are arithmetic sums of per-charge maximums; actual sentences are typically a small fraction of these arithmetic ceilings, but the ceilings shape plea-negotiation dynamics.

2.5 Mens rea requirements

The CFAA’s mens rea requirements vary by subsection, and the variation is load-bearing. The applicable mental states:

“Knowingly” — the actor was aware of the nature of their conduct (e.g., knew they were accessing a computer). The default mental state under federal criminal law; applies to many CFAA subsections.
“Intentionally” — the actor had a purpose to engage in the conduct or cause the result. Higher than knowingly; the actor’s actions were directed at the prohibited conduct.
“Willfully” — the actor knew their conduct was unlawful. The highest mens rea; restricted to subsections involving willful communication or retention (e.g., § 1030(a)(1) espionage).
“With intent to defraud” — the actor had a purpose to deceive or cheat. The fraud-specific mens rea; applies to § 1030(a)(4) and § 1030(a)(6).
“Recklessly” — the actor was aware of and disregarded a substantial and unjustifiable risk. The lowest culpability above strict liability; applies to § 1030(a)(5)(B) for the damage element only.

The Morris appellate decision (United States v. Morris, 928 F.2d 504 (2d Cir. 1991)⁸; treated in Vol 3 §5.4) is the foundational mens rea case. The Second Circuit held that “intentionally” in the predecessor of § 1030(a)(5)(A) attached to the access, not to the damage — meaning that Morris’s intent to release the worm sufficed for liability even where the worm’s damage was unintended (Morris had a defective anti-reinfection check that caused the fork-bomb behavior; he did not intend the resulting Internet collapse). The decision established a pattern that subsequent courts have largely followed: mens rea attaches narrowly to the specific element it modifies, and a defendant cannot escape liability by arguing the result was unintended where the access or transmission was intended.

For the practitioner reading: the mens rea analysis is generally not protective of constructive-motive grey-hat activity. Intent to access is satisfied by the act of accessing; the actor’s good-faith purpose does not negate intent. The discretion that protects good-faith research lives in prosecutorial-charging decisions (treated at §4.6) and at sentencing, not at the mens rea element of the offense.

2.6 Stacked-charges geometry — the Aaron Swartz prosecution

The CFAA’s stacked-charges geometry is the structural feature that has, throughout the statute’s history, produced charge stacks that look numerically extreme given the actual conduct. The geometry has three components:

Multiple CFAA subsections. A single course of conduct can implicate multiple subsections — (a)(2) for the access + information obtained, (a)(5) for any damage caused, (a)(6) if credentials were trafficked, (a)(7) if extortion was involved. Each subsection is a separate count.
Per-access counting. Many subsections count each access to each protected computer as a separate violation. A multi-system intrusion can produce dozens or hundreds of counts.
Non-CFAA federal charges that stack. Wire fraud (18 U.S.C. § 1343) carries up to 20 years per count and applies to almost any CFAA conduct that uses interstate communications. Conspiracy (18 U.S.C. § 371) adds a separate 5-year ceiling. Aggravated identity theft (18 U.S.C. § 1028A) adds a mandatory 2-year consecutive sentence per count where the offense involved another person’s identification. Money-laundering (18 U.S.C. § 1956) adds up to 20 years per count where the operation involved laundering of proceeds. The IEEPA / OFAC sanctions framework (covered at Vol 7 §6.4) adds further counts where the operation touched sanctioned jurisdictions.

The canonical demonstration of how this geometry can produce numerically extreme exposure is the Aaron Swartz prosecution. Swartz, a programmer, Reddit co-founder, and Creative Commons / Demand Progress activist, was charged in 2011 with conduct related to his bulk download of academic articles from the JSTOR database via the MIT campus network. The relevant facts (drawn from the superseding indictment and the EFF / MIT subsequent reporting⁹):

Swartz connected a laptop to the MIT campus network in a wiring closet (the closet was accessible but the entry was characterized in the indictment as unauthorized).
He used a script to download JSTOR articles in bulk — by some accounts to make them freely available; JSTOR did not retain a clear motive determination, though Swartz’s activist alignment was on the public record.
JSTOR’s response was to terminate Swartz’s access and accept his return of the downloaded data; JSTOR did not pursue civil action.
MIT did not pursue civil action either; MIT’s posture was less unambiguous than JSTOR’s but it did not seek criminal prosecution.
The federal prosecution was driven by the U.S. Attorney’s office in Massachusetts (Carmen Ortiz, U.S. Attorney; Stephen Heymann, lead AUSA). The original 2011 indictment carried four counts; the September 2012 superseding indictment carried thirteen counts.

The thirteen-count superseding indictment included two CFAA wire-fraud counts under § 1030(a)(4), five CFAA unauthorized-access counts under § 1030(a)(2) and § 1030(a)(5)(B), two wire-fraud counts under § 1343, one conspiracy count under § 371, and three additional counts for related conduct. The theoretical aggregate maximum for the indictment was approximately 35 years’ imprisonment and $1 million in fines by the prosecution’s calculation, with some commentators (including, controversially, some press coverage) reporting up to 50 years by including alternative-charge stacks. Swartz declined a plea offer of approximately six months’ imprisonment.

Swartz took his own life on January 11, 2013, before the trial concluded. The subsequent public-pressure response — the “Aaron’s Law” reform bills introduced repeatedly in Congress since 2013 (the most recent was the 2023 Computer Fraud and Abuse Act Reform Act; none has passed)¹⁰ — has not produced statutory amendment. The post-Swartz reform discussion is the historical context for the 2022 DOJ policy update (treated at §4.6 below), which was, in part, an executive-branch attempt to address the prosecutorial-discretion concerns that the Swartz case crystallized without requiring congressional action.

The structural lesson the Swartz case carries: the CFAA’s stacked-charges geometry can produce headline-extreme exposure for conduct that, under any sentencing-guidelines calculation or any reasonable plea offer, would have produced a fraction of the theoretical maximum. The geometry is not the result of any single prosecutorial overreach; it is the cumulative effect of three decades of legislative amendments that added counts and increased penalties without restructuring the underlying counting rules. The 2022 DOJ policy update reflects the executive branch’s attempt to manage the geometry through prosecutorial discretion; the statutory geometry itself remains unchanged.

   The CFAA stacked-charges geometry — schematic.

   ┌──────────────────────────────────────────────────────────────────────┐
   │   SINGLE INTRUSION INCIDENT                                          │
   │                                                                      │
   │   actor accesses target system; obtains information;                 │
   │   moves laterally to other systems; causes some damage;              │
   │   uses someone else's credentials in the process                     │
   └──────────────┬───────────────────────────────────────────────────────┘
                  │
                  ├──► § 1030(a)(2)   ─ access + obtain information     ── up to 5 yr per system per count
                  │       (one count per protected computer accessed)
                  │
                  ├──► § 1030(a)(4)   ─ access + intent to defraud      ── up to 5 yr per count
                  │       (one count per fraud act)
                  │
                  ├──► § 1030(a)(5)   ─ damage                          ── up to 10 yr per count (A); 5/1 yr (B/C)
                  │       (one count per damaged system)
                  │
                  ├──► § 1030(a)(6)   ─ credential trafficking          ── up to 1 yr per count first offense
                  │       (one count per credential used)
                  │
                  ├──► 18 U.S.C. § 1343 ─ wire fraud                    ── up to 20 yr per count
                  │       (one count per electronic communication)
                  │
                  ├──► 18 U.S.C. § 371  ─ conspiracy                    ── up to 5 yr per count
                  │
                  ├──► 18 U.S.C. § 1028A ─ aggravated identity theft   ── mandatory 2 yr CONSECUTIVE per count
                  │       (added to other sentences, cannot run concurrent)
                  │
                  └──► 18 U.S.C. § 1956 ─ money laundering              ── up to 20 yr per count
                          (where proceeds were laundered)

   THEORETICAL AGGREGATE MAXIMUM:
   per-count maxima summed across all counts
   = often dozens to hundreds of years for moderate-scope intrusions

   ACTUAL TYPICAL SENTENCE (under USSG):
   single-digit years for moderate conduct;
   substantially less under plea agreements

Figure 19.2 — The CFAA stacked-charges geometry. A single intrusion incident can implicate every CFAA subsection plus multiple non-CFAA federal statutes; per-count maxima sum to theoretical-aggregate exposures that have produced repeated public-pressure cycles since the 1990s. The Aaron Swartz superseding indictment was a thirteen-count instance of this geometry. The geometry is shaped by prosecutorial-charging discretion, by U.S. Sentencing Guidelines, and by plea-bargaining dynamics — actual sentences are typically a small fraction of arithmetic ceilings, but the ceilings shape plea-negotiation dynamics and the public discourse around the statute.

The post-2022 DOJ policy update (§4.6) has substantially changed the prosecutorial-charging dynamics for the good-faith-research subset of cases; the geometry itself remains. The practical operating implication for a 2026 practitioner is that any unauthorized-access conduct carries a theoretical exposure considerably larger than the conduct itself would warrant under any reasonable calculation — and that the cost of bringing the case to trial rather than plea-bargaining is the operating leverage the statute provides to prosecutors. This dynamic is what makes engagement-paperwork discipline (treated in §4) the load-bearing legal-defense artifact for any sanctioned security work.

3. International equivalents

The CFAA is the U.S. statutory baseline; comparable computer-misuse statutes exist in essentially every developed jurisdiction and many developing ones. The international picture matters for three reasons. First, cross-border research touches multiple statutes: a researcher in Berlin scanning a U.S.-hosted cloud system is operating under both German StGB §§ 202a–c and the U.S. CFAA simultaneously. Second, extradition treaties operationalize the cross-border reach: a researcher whose conduct violates a foreign jurisdiction’s computer-crime statute may face prosecution in that jurisdiction or extradition to it. Third, safe-harbor and statutory-defense regimes vary substantially: the U.S. DOJ 2022 policy update is prosecutorial discretion; some jurisdictions have stronger frameworks, most have weaker. This section walks the principal international analogs.

3.1 United Kingdom — Computer Misuse Act 1990

The Computer Misuse Act 1990 (CMA) is the UK’s primary computer-misuse statute. It was enacted in response to the failed 1988 prosecution of Steven Gold and Robert Schifreen for the BT Prestel intrusion of 1984–85 — the House of Lords held in R v. Gold and Schifreen [1988] AC 1063 that the existing Forgery and Counterfeiting Act 1981 did not reach the conduct, prompting Parliament to draft a dedicated statute. The 1990 Act has been amended substantially by the Police and Justice Act 2006 (which added § 3A) and the Serious Crime Act 2015 (which added § 3ZA), tracking the U.S. CFAA’s amendment trajectory¹¹.

The CMA’s operative sections as of 2026¹²:

§ 1 — unauthorised access. Causing a computer to perform any function with intent to secure access to any program or data held in any computer, where the access is unauthorised and the actor knows it is unauthorised. Summary offence; maximum 2 years imprisonment / fine.
§ 2 — unauthorised access with intent to commit further offences. § 1 conduct committed with intent to commit (or facilitate the commission of) a further offence under any other statute. Either-way offence; maximum 5 years imprisonment.
§ 3 — unauthorised acts with intent to impair operation of computer. Doing any unauthorised act in relation to a computer, with knowledge that the act is unauthorised and intent to impair operation of the computer, prevent or hinder access to data, impair operation of programs, or enable any of the foregoing. Either-way offence; maximum 10 years imprisonment.
§ 3ZA — unauthorised acts causing, or creating risk of, serious damage (added 2015). Section 3 conduct that causes or creates a significant risk of serious damage of a material kind (human welfare, environment, economy, national security). Indictable; maximum life imprisonment.
§ 3A — making, supplying or obtaining articles for use in computer misuse offences (added 2006). Reaches the tool layer — making, adapting, supplying, or offering to supply any “article” intending it for use in committing CMA offences, or obtaining any article with a view to its being used in such offences. Either-way offence; maximum 2 years imprisonment.

The § 3A “article” reach is the part of the UK framework that most directly differs from the U.S. CFAA. The U.S. statute does not generally criminalize the possession or distribution of tools; § 3A potentially does. The CPS’s published guidance interprets § 3A to require an intent that the article be used in commission of an offence (not merely incidental possession), but the chilling effect on UK-based security research has been a recurring concern.

The CyberUp Campaign is a multi-year reform coalition — coordinated by techUK and including NCC Group, Context Information Security, F-Secure UK (now WithSecure), CrowdStrike UK, the Internet Society UK, and a broad cross-section of UK security firms — advocating for a statutory public-interest defence to be added to the CMA. The defence, as proposed, would allow a defendant charged under § 1 to raise as a defence that the conduct was carried out in good-faith pursuit of cybersecurity research, threat intelligence, or vulnerability discovery, that the actor took reasonable steps to avoid harm, and that the public interest in the research outweighed the harm caused¹³. The reform trajectory through late 2025 and early 2026 has been the strongest movement in the campaign’s history. In December 2025, Security Minister Dan Jarvis MP (HM Government, Home Office) announced that the Government is “looking at” a legal change to the CMA to create a statutory defence for vulnerability researchers — the most significant public indication to date that CMA reform was moving from principle into policy design. The CyberUp Campaign was then referenced in the House of Lords during the Committee stage of the Crime and Policing Bill as peers tabled amendments aimed at introducing a statutory defence into the CMA. On February 3, 2026, the Public Bill Committee hearing on the Cyber Security and Resilience (Network and Information Systems) Bill also heard calls to reform the CMA. As of mid-May 2026, no statutory amendment has yet been enacted — the parliamentary process is mid-stage rather than concluded — but the issue has shifted from “campaign rhetoric” to “active legislative consideration in two concurrent bills.” The CMA, as it stands in 2026, does not contain a statutory good-faith-research defence; whether 2026 changes that is the practical question to watch.

The UK practitioner’s working posture therefore tracks the U.S. grey-hat practitioner’s posture: the statute provides no statutory defence; the Crown Prosecution Service exercises charging discretion; civil litigation under the CMA is not a primary risk (the CMA does not provide a private cause of action analogous to U.S. CFAA § 1030(g)). The risk envelope is dominated by criminal-charging discretion. The CyberUp Campaign’s progress (or lack of progress) is therefore the principal variable in the UK reform picture.

3.2 European Union — Directive 2013/40/EU

The EU operates at the directive level — Directive 2013/40/EU of August 12, 2013 on attacks against information systems¹⁴ sets the harmonisation framework, and member states implement it through national legislation. The Directive replaced Council Framework Decision 2005/222/JHA and has been transposed into national law by all 27 EU member states (with substantial drift in implementation detail).

Directive 2013/40/EU’s core requirements (the offences member states must criminalise):

Article 3 — illegal access. Intentional access without right to the whole or any part of an information system. Member states must criminalise at least cases that are not minor.
Article 4 — illegal system interference. Intentional and unauthorized act of seriously hindering or interrupting the functioning of an information system.
Article 5 — illegal data interference. Intentional and unauthorized deletion, damage, deterioration, alteration, suppression of computer data or rendering of such data inaccessible.
Article 6 — illegal interception. Intentional and unauthorized interception, by technical means, of non-public transmissions of computer data to, from or within an information system.
Article 7 — tools used for committing offences. Intentional production, sale, procurement for use, import, distribution, or otherwise making available of devices or computer programs designed or adapted primarily for the purpose of committing any of the offences in Articles 3–6, or of computer passwords / access codes / similar data, with intent to commit any of the offences.

Minimum penalty levels that member states must provide: at least 2 years for Articles 3–7 baseline offences; at least 3 years for aggravated cases; at least 5 years for cases against critical-infrastructure information systems; and at least 5 years for organised-crime-context offences.

The member-state implementations vary. Germany’s §§ 202a–c StGB (treated separately at §3.5 below) implement Articles 3 and 7 with notable controversy around the § 202c “tools” provision. France’s Articles 323-1 to 323-3-1 of the Code pénal implement the directive with maximum sentences from 3 to 7 years for the baseline offences. The Netherlands’ Wet computercriminaliteit III (2018) implements the directive with notably broad provisions on data interception and an expanded “system” definition. The cumulative picture: every EU member state has a fully-implemented CFAA-equivalent statute, with implementation drift that produces slightly different operating envelopes for practitioners in different member states but the same overall structure.

3.3 Canada — Section 342.1 Criminal Code

Canada’s primary computer-misuse provision is s. 342.1 of the Criminal Code of Canada¹⁵, which criminalizes (a) fraudulent and unauthorized access to a computer system; (b) interception of computer-system communications; (c) use or possession of computer passwords with intent to commit a fraudulent or unauthorized access offence; and (d) trafficking in such passwords. The maximum penalty is 10 years’ imprisonment on indictment for the baseline offence; 2 years on summary conviction. Section 430(1.1) (mischief in relation to computer data) provides parallel coverage for data damage and is the Canadian analog to U.S. § 1030(a)(5).

Canada is a signatory to the Budapest Convention and has implemented its requirements; the s. 342.1 framework is well-aligned with Articles 2–6 of the Convention. There is no statutory good-faith-research defence; prosecutorial discretion (exercised by the Public Prosecution Service of Canada / Service des poursuites pénales du Canada) governs the operating envelope for security researchers.

3.4 Australia — Cybercrime Act 2001 and Criminal Code Act 1995, Part 10.7

Australia’s federal computer-misuse framework is Part 10.7 of the Criminal Code Act 1995 (Commonwealth), as substantially amended by the Cybercrime Act 2001 (Commonwealth)¹⁶. The Cybercrime Act 2001 brought Australia into compliance with the Budapest Convention; the resulting Part 10.7 provisions are:

§ 477.1 — unauthorised access, modification or impairment with intent to commit a serious offence. Maximum: penalty for the intended offence.
§ 477.2 — unauthorised modification of data to cause impairment. Maximum: 10 years’ imprisonment.
§ 477.3 — unauthorised impairment of electronic communication. Maximum: 10 years’ imprisonment.
§ 478.1 — unauthorised access to, or modification of, restricted data. Maximum: 2 years’ imprisonment.
§ 478.2 — unauthorised impairment of data held on a computer disk, etc. Maximum: 2 years’ imprisonment.
§ 478.3 — possession or control of data with intent to commit a computer offence. Maximum: 3 years’ imprisonment.
§ 478.4 — producing, supplying or obtaining data with intent to commit a computer offence. Maximum: 3 years’ imprisonment.

State-level computer-misuse statutes parallel the federal framework (each Australian state and territory has its own Criminal Code or comparable instrument with computer-misuse provisions). There is no statutory good-faith-research defence; the Commonwealth Director of Public Prosecutions and state DPPs exercise charging discretion.

3.5 Germany — § 202a–c StGB (“Hackerparagraph”)

Germany’s computer-misuse provisions, the Hackerparagraphen of the Strafgesetzbuch (StGB) §§ 202a (data espionage), 202b (data interception), and 202c (preparation of data espionage and interception), were substantially amended in August 2007 by the Strafrechtsänderungsgesetz zur Bekämpfung der Computerkriminalität (“Forty-First Criminal Law Amendment Act to Combat Computer Crime”)¹⁷. The 2007 amendment was Germany’s implementation of the EU and Council of Europe cybercrime obligations and remains controversial in the German security-research community.

The controversial provision is § 202c StGB, which criminalizes the preparation of data espionage or interception — including the production, procurement for the actor’s own use or for another’s use, sale, transfer, distribution, or making available of passwords or other security codes for data access or of computer programs whose purpose is the commission of [§ 202a or § 202b] offences. Maximum sentence: 1 year imprisonment or fine.

The 2007 amendment’s controversy lies in the breadth of “computer programs whose purpose is the commission of offences.” The Chaos Computer Club, the Bundesverband Informationswirtschaft, Telekommunikation und neue Medien (Bitkom), and the broader German security-research community argued that the provision criminalizes the dual-use security tools that practitioners routinely possess, distribute, and use (Nmap, Metasploit, John the Ripper, password-recovery tools). The German Federal Constitutional Court declined to strike the provision in a 2009 decision, but constrained its application — the court read § 202c as requiring the specific intent that the article be used in committing an offence, not the mere objective characteristic that it could be so used¹⁸. The practical effect of the BVerfG decision has been that prosecutions under § 202c have been rare and that practitioners possessing dual-use tools have not generally been at risk of prosecution merely for possession. The chilling effect on German security-research has, however, been documented — several German security firms relocated operations to other EU jurisdictions in the years following the amendment.

The German federal government has, in 2024–2025, signaled an intent to revise the Hackerparagraph to add a clearer good-faith-research carve-out (the draft Gesetz zur Entkriminalisierung von IT-Sicherheitsforschung — “Act on the Decriminalisation of IT Security Research”). As of early 2026, the draft has not been enacted; the operating posture for German security researchers remains the BVerfG-constrained § 202c framework.

3.6 Japan — Unauthorized Computer Access Law (1999)

Japan’s primary computer-misuse statute is the Act on Prohibition of Unauthorized Computer Access (不正アクセス行為の禁止等に関する法律), Act No. 128 of 1999, enacted August 13, 1999 and effective February 13, 2000¹⁹. The Act has been amended several times, most consequentially in 2012 to address phishing-pretext acquisition of credentials and in 2024 to expand jurisdictional reach.

The Act’s principal prohibitions:

Unauthorized access — accessing a specific computer through a telecommunications line using another person’s identification code without authorization, or by inputting information or commands that evade the access-control function. Maximum: 3 years’ imprisonment or ¥1,000,000 fine.
Acquisition of identification codes — knowingly obtaining identification codes of another person for purposes of unauthorized access. Maximum: 1 year imprisonment or ¥500,000 fine.
Storage of identification codes — improper storage of others’ identification codes. Maximum: 1 year imprisonment or ¥500,000 fine.
Solicitation of identification codes — fraudulent solicitation (phishing). Maximum: 1 year imprisonment or ¥500,000 fine.

Japan has no statutory good-faith-research defence; the National Police Agency and prosecutorial offices exercise charging discretion. The Japanese practitioner-research community is small but active; the Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) is the primary coordination body for vulnerability disclosure and provides some mediation between researchers and vendors.

3.7 Russia and China — broad statutes, jurisdictional reach matters

The Russian Federation’s primary computer-misuse provisions are in Chapter 28 of the Criminal Code of the Russian Federation (Articles 272 — unauthorized access; 273 — creation, use, and distribution of malicious computer programs; 274 — violation of computer-operation rules; 274.1 — unlawful impact on the critical information infrastructure). Maximum sentences range from fines through to 10 years’ imprisonment for critical-infrastructure offences. The Russian statutes are broadly drafted; Russian-resident security researchers operate under substantial domestic prosecutorial discretion (which has historically been exercised inconsistently). The extraterritorial reach of Russian computer-crime statutes is rarely operationalized against foreign nationals — but Russian-national researchers face the inverse risk when their work product reaches non-Russian-aligned jurisdictions.

China’s Criminal Law Article 285 (illegal intrusion into computer information systems), Article 286 (destruction of computer information systems), and the 2017 Cybersecurity Law provide broad statutory authority over computer-misuse conduct. Maximum sentences range up to 7 years’ imprisonment for the baseline offences; aggravated cases face higher exposure. The Chinese statutes are drafted with even broader reach than the Russian; foreign security researchers conducting research against Chinese-hosted systems face substantial legal exposure if they enter Chinese territory subsequently. The export-control regime under the Cybersecurity Law (and the 2021 Data Security Law) adds further layers; the regulatory environment for cross-border vulnerability research touching Chinese systems is substantially more constrained than for any Western jurisdiction.

3.8 The international comparison table

Jurisdiction	Primary statute	Year enacted	Maximum baseline penalty	Authorization framing	Good-faith-research safe harbor (2026)
United States	18 U.S.C. § 1030 (CFAA)	1986 (Pub. L. 99-474)	5–10 yr (varies by subsection); life if death/serious injury under (a)(5)(A)	“Without authorization” / “exceeds authorized access” (narrowed by Van Buren 2021)	Prosecutorial discretion (DOJ May 2022 policy); no statutory defence; civil exposure under § 1030(g) parallel
United Kingdom	Computer Misuse Act 1990	1990 (amended 2006, 2015)	2–10 yr baseline; life under § 3ZA	”Unauthorised access” / actor “knows” unauthorised	None (CyberUp Campaign reform pending; Dec 2025 government signal)
EU member states (framework)	Directive 2013/40/EU + national implementations	2013 (replacing 2005 framework decision)	2–5 yr minimum (member states may exceed)	“Without right” (translated variously)	Varies by member state (mostly none statutory)
Germany	StGB §§ 202a–c	2007 amendment	1 yr (§ 202c) — 3 yr (§ 202a aggravated)	“Without authorization” / “specifically prepared” tools	None (BVerfG constrains § 202c; reform draft pending 2024–2025)
France	Code pénal Art. 323-1 to 323-3-1	1988 + Directive transposition	3–7 yr	”Frauduleusement” + “sans droit”	None statutory
Netherlands	Sr / Wet computercriminaliteit III	2018 (latest)	4–6 yr; up to 12 yr for critical infrastructure	”Wederrechtelijk” (unlawfully)	None statutory
Canada	Criminal Code s. 342.1, s. 430(1.1)	1985 / 1997 amendments	10 yr indictable	”Fraudulent” + “without colour of right”	None statutory; PPSC discretion
Australia	Criminal Code Act 1995, Part 10.7 (added by Cybercrime Act 2001)	2001	2–10 yr (varies by section)	“Unauthorised” + intent elements	None statutory
Japan	Act No. 128 of 1999	1999 (effective 2000)	3 yr	”Unauthorized” + use of another’s identification code	None statutory; JPCERT/CC mediates
Russia	Criminal Code Art. 272–274.1	1996 + amendments	10 yr (critical infrastructure)	Broad; “unauthorized access” with damage	None; inconsistent enforcement
China	Criminal Law Art. 285–286; Cybersecurity Law 2017; Data Security Law 2021	1997 + 2017 + 2021	7 yr (baseline)	Broad; substantial regulatory overlay	None; export-control regime adds layers
Budapest Convention (multilateral baseline)	CETS No. 185, opened 2001; ~70 ratifying states	2001	Sets minimum criminalisation requirements; implemented through national law	Articles 2–6 (illegal access, illegal interception, data/system interference, misuse of devices)	Convention does not require safe harbor; implementation varies

Table 19.2 — International computer-misuse statutes — comparative reference. The “authorization framing” column captures the operative term-of-art that maps onto the U.S. CFAA’s “without authorization” prong; the “safe harbor” column captures whether the jurisdiction has a statutory good-faith-research defence (the answer is almost universally “none” — the U.S. DOJ 2022 policy is prosecutorial discretion, not a statutory defence). The Budapest Convention (Council of Europe Convention on Cybercrime, CETS No. 185, opened for signature November 23, 2001) is the multilateral baseline that most of these statutes implement; approximately 70 states have ratified it as of early 2026. Russia and China are NOT signatories. The convention’s Articles 2–6 map closely onto the U.S. CFAA’s core prohibitions; the safe-harbor question is not addressed at the convention level.

The cross-jurisdictional operating envelope: a researcher conducting cross-border work potentially faces all of the statutes in the chain — the statute of the country where the research is conducted, the statute of the country where the targeted system is hosted, the statute of any country whose national is in the affected user population. Mutual legal assistance treaties (MLATs) and the Budapest Convention’s mutual-assistance provisions operationalize the cross-border reach. The practical operating implication for a 2026 cross-border practitioner is that the most-restrictive applicable statute governs; researchers operating against critical-infrastructure systems in the EU face EU member-state penalties at the directive-mandated minimums above the baseline; researchers operating against U.S. cloud systems from non-U.S. jurisdictions face the CFAA’s reach plus the local statute’s reach.

4. Authorization in practice

The practitioner’s operating envelope is defined, in legal terms, by the authorization documents that establish written, informed consent from the system owner. The white-hat consultant’s authorization stack (Vol 6 §1) is the canonical example; the engagement-paperwork discipline this section covers is the load-bearing legal artifact that converts technically-CFAA-criminal conduct into legally-authorized work. The grey-hat researcher (Vol 8) operates without this stack and bears the residual exposure §2 catalogued.

This section walks the engagement-paperwork stack at the depth a practitioner needs to draft, review, and operate under it. Five documents constitute the canonical stack: the Statement of Work (SOW), the Scope document, the Rules of Engagement (ROE), the Get-Out-of-Jail Letter (GOJL), and (for bug-bounty work) the program’s safe-harbor language. The 2022 DOJ CFAA charging policy (§4.6) sits alongside this stack as the prosecutorial-discretion overlay.

4.1 Statement of Work (SOW)

The Statement of Work is the commercial contract that establishes the engagement. It is, in legal terms, the document that defines what services will be performed, when, by whom, for what compensation, with what deliverables, under what warranty and indemnification terms. Most SOWs are signed under a master services agreement (MSA) that establishes the broader legal relationship; the SOW is the per-engagement document.

A complete SOW for a security-testing engagement includes:

Parties: the testing organization (the consultancy) and the client organization. Full legal names, jurisdictions of incorporation, signatory titles.
Engagement scope summary: a one-paragraph plain-language description of what testing will be conducted. The SOW summary references but does not duplicate the Scope document.
Services to be performed: the testing types (network pentest, web-app pentest, red-team engagement, physical-entry assessment, etc.) at the categorical level. Specific assets and IP ranges live in the Scope document.
Schedule and milestones: engagement start date, test windows (specific dates and hours), report-draft delivery date, final-report delivery date, optional re-test windows.
Deliverables: report format, executive summary requirement, technical findings format, evidence-and-artifact policy, briefing requirements.
Compensation: fee structure (fixed-price vs time-and-materials), payment schedule, expenses policy.
Warranty and indemnification: the testing organization’s warranty of services performed; the client’s indemnification of the testing organization for engagement-scope-related claims; mutual indemnification for IP issues; the limitation-of-liability cap.
Confidentiality and IP: NDA terms (often a separate document, but referenced); ownership of report and deliverables; use of client-provided materials.
Termination: termination-for-cause and termination-for-convenience provisions.
Governing law and dispute resolution: choice of law; jurisdiction or arbitration for disputes.
Signatures: authorized signatories on both sides, with titles and dates.

The SOW is the document that, in a CFAA-prosecution-defence scenario, would be produced as the engagement-existence proof. It establishes that the testing organization was retained by the client organization to perform the services described. The SOW alone does not, however, authorize specific access — it establishes the existence of the engagement; the Scope document defines what’s actually authorized.

4.2 Scope document

The Scope document defines what is in-scope and out-of-scope for the engagement. It is the load-bearing technical-authorization artifact — under any reasonable post-Van Buren reading of “without authorization,” the scope document is the document that establishes what the testing organization is authorized to access. A complete scope document includes:

In-scope systems: explicit lists of IP ranges (CIDR blocks), DNS names, application URLs, mobile applications (with their distribution channels), API endpoints, physical addresses (for physical-entry engagements), source-code repositories (for source-code-assisted assessments), wireless networks (SSIDs and BSSIDs).
Out-of-scope systems: explicit exclusions. Common exclusions include third-party-hosted infrastructure (the SaaS vendors’ production systems, even where the client’s data lives there), shared infrastructure (the cloud provider’s underlying systems vs the client’s account within them), production systems with high-availability requirements (where pre-coordination is required for any potentially-disruptive testing), executive personnel (often excluded from social-engineering scope unless explicitly included).
In-scope techniques: explicit enumeration of permitted testing techniques. Common scope items: network reconnaissance, port and service scanning, vulnerability scanning, exploitation of identified vulnerabilities, password attacks (with rate-limiting and account-lockout-avoidance constraints), social engineering (phishing, vishing, pretexting), physical entry (with specific buildings and specific access methods), wireless attacks (with specific networks and specific techniques).
Out-of-scope techniques: explicit exclusions. Common exclusions include destructive testing without specific pre-approval, denial-of-service attacks (unless the engagement is specifically a DoS assessment with separate authorization), attacks against production systems during business hours, attacks against systems serving live customers.
Test windows: specific dates and hours during which active testing may occur. The window is enforced by the testing organization’s own discipline; the in-scope-system list does not authorize testing outside the window.
Data-handling provisions: rules for any data accessed during testing — encryption requirements, retention limits, destruction certification, prohibition on transfer outside the engagement team.
Out-of-scope-discovery handling: the procedure for what to do if testing discovers a vulnerability in an out-of-scope system. The standard procedure: stop testing of the out-of-scope system; document the discovery; notify the client point-of-contact within a specified time; await client direction.

The scope document is what a court would consult to determine whether a specific technical action was authorized. The discipline of writing scope documents that are simultaneously specific (so the practitioner knows exactly what’s permitted) and flexible (so reasonable judgement calls during the engagement don’t fall outside scope) is the working tradecraft of consultancy engagement-leadership. Common scope failures and their legal consequences are catalogued in §4.5 below.

4.3 Rules of Engagement (ROE)

The Rules of Engagement document the operational-coordination protocols for the engagement. Where the SOW is commercial and the Scope is technical-authorization, the ROE is the operational-execution document. A complete ROE includes:

Points of contact: the client’s engagement sponsor (typically a CISO, deputy CISO, or director of security), the testing organization’s engagement lead, secondary contacts for after-hours emergencies. Email and phone for each.
Escalation procedures: when to escalate (production system disrupted, critical vulnerability discovered, unexpected data exposure, evidence of prior compromise), to whom to escalate, expected response times.
Deconfliction protocols: how the testing organization communicates active-test activity to the client’s defensive team (or doesn’t — for full red-team engagements where the blue team is uninformed, the ROE specifies who at the client level does know).
Communication channels: encrypted channels (Signal group, encrypted email, secure-file-transfer for findings), call-bridge access for incident-coordination calls.
Work-hour constraints: when active testing is permitted (often a subset of the scope’s test windows that reflects practitioner work-hours).
Stop-work conditions: explicit conditions under which testing pauses (active incident on the target network from a different cause; legal-process service; senior-leadership stop-work direction).
Reporting cadence: status-update frequency during the engagement (daily standup; weekly summary; per-milestone briefing).

The ROE is not, strictly speaking, a legal-authorization artifact (the SOW and Scope document do that work); the ROE is the operational-discipline artifact that prevents engagements from going sideways in ways that the SOW and Scope do not predict. A common engagement-management failure is to treat the ROE as a perfunctory administrative document — the engagements where it gets actually read and exercised are the engagements that go well.

4.4 Get-Out-of-Jail Letter (GOJL)

The Get-Out-of-Jail Letter (sometimes “GOJL,” sometimes “authorization letter,” sometimes “permission slip”) is the load-bearing legal artifact carried by the operator on the engagement. It is the document that, presented to law enforcement at the moment of a confused encounter (the security guard who finds the red-team operator in a server room; the police officer responding to a “someone is in the building who shouldn’t be” call), demonstrates that the operator’s presence is authorized.

A canonical GOJL contains:

Header identifying the client organization (full legal name, address, logo).
A statement that the testing organization is authorized to perform security testing, with the dates and scope summary.
The operator’s identity — full name, photograph (typically attached), and government-issued ID number for cross-reference.
An emergency-contact phone number for the client’s authorized representative — the person law enforcement can call to verify the letter’s authenticity. The number rings to a person, not a voicemail, 24×7 during the engagement window.
The signature of the client’s authorized representative — typically the CISO, the General Counsel, or both. The signature is in physical ink on a physical original; the operator carries the original.
The date of signature and the engagement window.
Legal language specifying that the operator’s activities are authorized by the client and indemnifying the operator against the client’s complaints.

The GOJL works because law-enforcement officers responding to a “suspicious-person-on-premises” call have a strong default to believing paperwork backed by phone verification. The officer who calls the emergency-contact number, speaks to a person who confirms the operator’s identity, and is told “yes, that person is conducting authorized testing on our behalf,” has a clean resolution to the encounter that doesn’t involve arresting anyone. The discipline matters: an operator without a GOJL who claims authorization will be detained pending verification (which may take hours); an operator with a GOJL whose contact number doesn’t answer will be detained pending alternate verification.

The GOJL is not a defence against the actual system owner — if the operator is testing a building they don’t have permission to test (a scope-document error, or a different building from the authorized one), the GOJL doesn’t help. It is the defence against confusion at the encounter — the operator-in-the-server-room scenario where the explanation is correct but takes time to verify.

Good intentions are not a legal defence — load-bearing callout. This is the single most-load-bearing rule of §4. The CFAA does not contain an intent carve-out for good-faith research, public-interest motive, or any other constructive intent. Neither does any of the international equivalents in §3. The 2022 DOJ policy update (§4.6) provides prosecutorial discretion for “good-faith security research” — discretion, not immunity, and applicable only to federal CFAA charges, not to state computer-crime statutes or civil-liability exposure under § 1030(g). The legal defence for security work is the engagement-paperwork stack — SOW + Scope + ROE + GOJL + (for bug-bounty work) safe-harbor language, executed before the first packet leaves the consultant’s lab. A practitioner whose conduct is “obviously” constructive but who lacks the paperwork has the same legal exposure as a practitioner whose conduct was malicious. The discriminator at the criminal-prosecution stage is the paperwork, not the intent; at sentencing the intent matters, but by then the conviction exists. No paperwork, no engagement is the rule that holds across the white-hat profession; the grey-hat residual (Vol 8) operates without this defence and bears the residual exposure.

4.5 Common scope failures and their legal consequences

Scope documents that fail to do their work share a small set of failure modes. Each failure mode has been the subject of contested prosecutions or arbitration in the practitioner-legal literature; each has a corresponding discipline that practitioners have evolved.

Failure mode	Example	Legal consequence	Discipline that addresses it
Function-not-identifier scope	”the web application” without specifying which hostname/URL	Ambiguity that a prosecutor can exploit to argue the operator was on the wrong system	Scope by IP/CIDR + hostname, not by function
Insufficiently-authorized signatory	An IT manager signs the scope, not someone with org-wide authority	The signed document may not bind the org; consent defense weakens	Scope signed by CISO or General Counsel (or with explicit delegation); for high-stakes engagements, the CEO
Missing adjacent infrastructure	Scope covers “the web application” but not the underlying host or the adjacent database server	Operator who tests the host or database is operating out-of-scope; CFAA exposure for the adjacent-system access	Scope explicitly enumerates the adjacent systems in scope OR out of scope; no “implied” inclusion
Stale scope	Scope was negotiated 3 months ago; the application has changed	The current state of the system differs from what’s authorized	Scope-refresh checkpoint at engagement kickoff; written acknowledgement of current asset list
Third-party-hosted out-of-scope omission	Client’s SaaS vendor’s infrastructure is implicitly in-scope because the application reaches into it	The SaaS vendor did not authorize testing; their CFAA-protected systems are being touched	Scope explicitly excludes third-party-hosted systems; if testing is required, the third-party authorization is obtained separately
Production-impact ambiguity	Scope authorizes “exploitation” but doesn’t specify whether production-disruptive exploitation is permitted	A successful exploit that takes down a production system is unauthorized by the limits the client would have insisted on	Scope explicitly states whether production-disruptive exploitation is permitted (almost always: not without separate pre-approval)
Data-egress ambiguity	Scope authorizes “demonstrating data access” but doesn’t specify whether exfiltration is permitted	Operator who exfiltrates demonstration data to their own infrastructure has done unauthorized data transfer	Scope explicitly authorizes screenshot-only proof, or specifies the egress destination and the data-handling rules
Out-of-scope-discovery silence	Scope doesn’t specify what to do when an out-of-scope vulnerability is discovered	Operator either ignores the discovery (ethical concern) or pivots to test it (CFAA concern)	Scope explicitly defines the discovery-notification procedure; standard pattern is “document, notify, await direction”
Test-window expiration	Operator continues activity after the test window closes	Activity outside the authorization window is unauthorized	Hard stop at window close; if the engagement runs long, the SOW is amended in writing before testing resumes
Missing physical-entry boundary	Physical-entry scope says “the building” but the building has tenants on other floors	Operator who enters tenant-floor common areas may be trespassing on tenant property	Scope identifies the specific suites, floors, and access methods; tenants are pre-coordinated where their space is in scope

Table 19.3 — Common scope-document failure modes and the disciplines that address them. The patterns are drawn from publicly-discussed engagement-failure cases and from the practitioner-arbitration literature. Each row’s “discipline” column captures the working practice that mature consultancies use; engagement-paperwork that incorporates all of the disciplines simultaneously is the gold-standard SOW + Scope combination that minimizes the operator’s residual exposure.

4.6 Bug-bounty program scope and safe-harbor language

The bug-bounty platform layer (HackerOne, Bugcrowd, Synack, Intigriti, YesWeHack, and the company-direct programs) operates with a structurally different but functionally equivalent authorization stack. Where a consultancy engagement uses an SOW + Scope + ROE + GOJL combination, a bug-bounty engagement uses the platform’s program scope + safe-harbor language combination. The history of bug-bounty programs was treated at depth in Vol 4 §5 and Vol 8 §6; this section focuses on the legal-authorization dimension.

Program scope functions as the bug-bounty equivalent of the consultancy Scope document. A published program scope identifies the in-scope assets (typically by domain pattern, e.g., *.example.com minus listed exclusions), the in-scope vulnerability classes (the program explicitly accepts XSS, IDOR, authentication bypass, etc.; some classes — DoS, social engineering of employees, physical attacks — are typically excluded), the data-handling rules (limit on data retrieved during PoC; deletion-after-disclosure obligations), and the disclosure protocol (private submission via the platform; public disclosure embargoed until specified conditions are met).

Safe-harbor language functions as the contractual authorization. The canonical HackerOne safe-harbor template²⁰ commits the participating organization to a set of provisions that, taken together, establish that good-faith research within the program’s scope is authorized:

Authorization: “We authorize you to access systems within [scope] for the purpose of identifying vulnerabilities, subject to the rules below.”
Restraint of legal action: “We will not pursue legal action against you under CFAA, DMCA, or analogous statutes for activity that complies with this policy.”
Good-faith presumption: “If your activity is reasonably consistent with this policy, we will work in good faith to clarify any ambiguity rather than treat the activity as unauthorized.”
Recognition: “We will publicly acknowledge your contribution (subject to your disclosure preferences) and consider you for monetary recognition where applicable.”

The safe-harbor language is not a CFAA exemption — only Congress can grant that — but functions as a binding contractual commitment between the organization and the researcher. The contract does not bind the U.S. DOJ (which retains independent statutory authority), but does bind the organization’s civil-litigation pathway. The 2022 DOJ policy explicitly recognizes participation in a bug-bounty program with a published safe-harbor as a strong indicator of good-faith research. The combined effect of program scope + safe-harbor language + DOJ-2022 policy is that bug-bounty work, in 2026, operates under a substantially better legal-protection envelope than direct-grey-hat work, even though the underlying CFAA exposure is structurally similar.

4.7 The DOJ May 19, 2022 CFAA charging policy update

The U.S. Department of Justice’s May 19, 2022 update to its CFAA charging policy is the executive-branch operating layer that sits on top of the statute. The policy is not a statutory amendment — only Congress can amend the CFAA — but it directs federal prosecutors not to bring CFAA charges for certain categories of conduct that the prior policy had permitted. The change matters operationally because nearly all CFAA federal-criminal charging requires DOJ approval through the prosecutorial chain; a policy that directs against charging a category of conduct functions, for practical purposes, like a partial decriminalization.

The 2022 policy’s operative provisions²¹:

“Good-faith security research” is defined as accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.
Federal prosecutors should not bring CFAA charges against conduct that constitutes good-faith security research as defined.
Terms-of-service violations that do not involve unauthorized access (in the post-Van Buren gates-up-or-down sense) should not be charged under the CFAA.
Trivial or de minimis violations should not be charged.

The policy’s structural limits (which matter for practitioner over-reliance):

The policy is prosecutorial discretion, not immunity. The CFAA’s statutory authority is unchanged; future DOJ administrations can revise the policy.
The “solely” qualifier in the good-faith-research definition matters. Research conducted with “ulterior” or “mixed motives” may not qualify; the prosecutor retains discretion to determine whether the motive was solely good-faith.
State law is not bound. Each state’s computer-crime statute remains independently enforceable; state prosecutors operate independently of DOJ policy. The 2022 policy does not affect prosecutorial decisions by California, New York, Texas, or any other state.
Civil liability under § 1030(g) is not affected. The statute provides a private cause of action; affected organizations can pursue civil litigation regardless of whether the DOJ would have charged the conduct criminally.

The post-2022 operating envelope for U.S. security researchers is therefore: substantially safer than pre-2021 from federal-criminal exposure for good-faith research; structurally unchanged in state-criminal and civil-liability exposure. The Auernheimer / weev prosecution (Vol 8 §7.4) is the cautionary historical case for the pre-policy era; the contemporary cautionary cases are state-prosecuted matters (the 2021 Missouri “F12 prosecution” of journalist Josh Renaud is the most-cited recent example — Missouri Governor Mike Parson alleged in October 2021 that Renaud had “hacked” the state’s teacher-credentialing site by viewing the page source through the browser’s developer tools; the local prosecutor declined to bring charges in February 2022 after FBI analysis concluded no crime had occurred, but the investigation period included potential criminal exposure that the post-2022 DOJ policy framework would not have directly resolved at the state level).

4.8 The authorization-document checklist

Artifact	Required content	Who signs	Carried when
Master Services Agreement (MSA)	Long-form commercial relationship; warranty / indemnification / IP / governing law	Both organizations’ authorized signatories (typically CEO / General Counsel)	Stored at consultancy; not field-carried
Statement of Work (SOW)	Per-engagement commercial document; services + schedule + compensation + deliverables	Both organizations’ authorized signatories (CISO / VP of Engineering / equivalent)	Engagement folder; not field-carried
Scope document	In/out-of-scope systems + techniques + windows + data-handling + discovery procedures	Both organizations (technical leads typically; CISO countersign for hi-stakes)	Engagement folder; selectively field-carried (the relevant excerpt for the specific work)
Rules of Engagement (ROE)	Points of contact + escalation + deconfliction + communication channels + stop-work conditions	Both organizations’ technical leads	Engagement folder; field-carried (the contacts are operationally needed)
Get-Out-of-Jail Letter (GOJL)	Authorization statement + operator identity + 24×7 emergency contact + signatures	Client’s CISO or General Counsel (in physical ink)	Field-carried in physical original for physical-entry / on-site engagements
NDA	Confidentiality of client-provided materials and engagement-derived information	Both organizations (often per-individual at the operator level for senior staff)	Stored at consultancy; not field-carried
Bug-bounty program scope + safe-harbor	Program scope + acknowledged safe-harbor terms	Researcher’s acceptance through platform; organization’s published commitment	N/A (no field-carry; the platform is the artifact)
Coordinated Vulnerability Disclosure (CVD) policy	Published organization policy that authorizes good-faith research outside formal bug-bounty programs	Organization’s authorized signatory; published openly	N/A (the public policy is the artifact)

Table 19.4 — The authorization-document checklist for security-testing engagements. The five-document combination (SOW + Scope + ROE + GOJL + bug-bounty-or-CVD scope-and-safe-harbor) is the canonical 2026 authorization stack. Smaller consultancies may consolidate documents (the SOW and Scope are sometimes combined for small engagements); larger and higher-stakes engagements may add additional documents (specific data-handling addenda, privacy-impact assessments for engagements touching personal data, regulatory-notification provisions for engagements at regulated entities).

4.9 The Tincher / Auernheimer / weev historical context

The historical-cases reference for why the engagement-paperwork stack matters is the line of cases where conduct that practitioners would have considered constructive nevertheless produced federal-criminal prosecution. Three cases recur in the practitioner literature:

The Auernheimer / weev prosecution (2010–2014). Andrew Auernheimer and Daniel Spitler obtained iPad subscriber data from AT&T’s webserver by incrementing predictable URL parameters; they disclosed the data to Gawker, which published it. The federal indictment charged § 1030(a)(2) and identity-theft counts. Auernheimer was convicted in 2012 and sentenced to 41 months’ imprisonment. The Third Circuit vacated the conviction on venue grounds in 2014 (United States v. Auernheimer, 748 F.3d 525 (3d Cir. 2014)²²) — Auernheimer had no operational connection to New Jersey, where the trial was held, and the court held that venue was improperly laid. The vacatur was on procedural grounds, not on a substantive holding that the conduct was lawful; the conviction was vacated, not the underlying legal theory. Auernheimer was released after the vacatur; the case remains the canonical historical “unauthorized access through predictable-URL enumeration is CFAA-chargeable” case in the U.S. (The case is treated in Vol 8 §7.4 as the canonical grey-hat-prosecution warning.)
The Aaron Swartz prosecution (2011–2013). Treated above at §2.6.
The Marcus Hutchins prosecution (2017–2019). Hutchins was arrested at Las Vegas’s McCarran Airport in August 2017 after attending DEF CON 25, on charges related to his 2014–15 development of the Kronos banking malware (predating his July 2017 WannaCry-killswitch work that had made him publicly prominent). Hutchins pleaded guilty in April 2019 to two counts of conspiracy related to malware-development conduct; he was sentenced in July 2019 to time served (no incarceration beyond the period of his pre-trial restraint). The case is the canonical “DEF CON attendance + federal-criminal charges for prior conduct” pattern.

These cases predate the 2022 DOJ policy update, and the policy update was, in part, an executive-branch response to the public-pressure cycle the cases produced. The 2022 framework would have constrained federal-charging discretion in the Auernheimer and Swartz cases (under any reasonable application of the “good-faith security research” definition, both would qualify — Auernheimer was demonstrating an AT&T security failure; Swartz was conducting academic-research-aligned bulk download of academic articles), although the state-criminal and civil-liability dimensions would have remained.

The historical lesson the cases carry: federal-criminal exposure for security research is real even where the conduct is constructive, and the engagement-paperwork stack is what removes the federal-criminal exposure for authorized work. Researchers who operate without the paperwork are betting on prosecutorial discretion (which post-2022 is more favorable than it was, but is not legal protection); researchers with the paperwork are not betting at all.

5. Disclosure ethics

The disclosure-decision point — the moment after a vulnerability has been identified, when the researcher must decide what to do with the finding — is the structural ethical question that sits at the heart of vulnerability research. The history of the disclosure-norms debate was treated at depth in Vol 4 §3; the grey-hat lifecycle treatment was in Vol 8 §4. This section walks the decision tree as a normative framework — what each disclosure path actually does, what consequences each carries, and how the practitioner should think about the choice.

5.1 The four disclosure paths

There are, in 2026 practice, four primary disclosure paths. They are not mutually exclusive at the conceptual level (a researcher can engage in coordinated disclosure with a vendor and, after the embargo expires, publish full technical detail), but they are mutually exclusive at the immediate-decision level (the researcher’s first move is one of the four).

Path 1 — Full disclosure. Publish the technical detail and (often) working proof-of-concept code publicly, either with no prior vendor notification or with simultaneous notification. The historical default of the Bugtraq era (1993–early-2000s; Vol 3 §6 treated the Phrack / Bugtraq lineage). Full disclosure remains in use, particularly for vulnerabilities affecting end-of-life products without a vendor patch path, or for vulnerabilities where coordinated disclosure has been attempted and failed. The argument for full disclosure: it maximizes pressure on vendors to patch quickly; it ensures the public has accurate information about a real risk; it prevents “responsible disclosure” from being used as a tool of vendor delay. The argument against: it creates a public-exposure window between disclosure and patch deployment during which any attacker with the published detail can exploit the vulnerability against any unpatched system.

Path 2 — Coordinated (responsible) disclosure. Notify the vendor privately, allow them time to develop and deploy a patch, then disclose publicly. The CERT/CC framework (since the late 1980s; Vol 3 §5.3 covered the CERT founding) is the canonical multi-stakeholder version; the Google Project Zero 90-day-default (announced 2014; Vol 4 §3.2 covered the launch) is the canonical fixed-deadline version. The bug-bounty programs (§4.6 above) operationalize coordinated disclosure at scale. The argument for: it minimizes the public-exposure window; it allows the vendor to coordinate patching with affected operators; it preserves the cooperative-research relationship between the researcher and the vendor. The argument against: it can extend indefinitely if the vendor refuses to act (the failure mode addressed by fixed deadlines); it can be used by vendors to delay disclosure of inconvenient vulnerabilities; it makes the researcher complicit in a delay the public may not benefit from.

Path 3 — Sale to a broker. Sell the finding to a coordinated-disclosure broker (the Zero Day Initiative / Trend Micro, occasional academic bug-bounty programs) or to a sovereign-customer broker (Zerodium, Crowdfense, NSO Group, occasionally others). The broker market was treated at depth in Vol 4 §3.3 and Vol 8 §4.2. The argument for (when selling to ZDI): the broker provides the coordination layer + commercial recognition; the work product reaches a defender-aligned customer base. The argument for (when selling to sovereign-customer brokers): the financial recognition is substantially higher (Zerodium’s published 2024 price list lists $2.5M for full-chain Android remote-code-execution without user interaction, $2M for iOS equivalents). The argument against (when selling to sovereign-customer brokers): the downstream use is opaque; the broker’s customers are typically state intelligence services; the exploits often end up deployed against specific targets without notification to the affected vendor. The 2018 Saudi-government use of NSO Pegasus against Jamal Khashoggi and the subsequent civil-litigation pattern is the canonical downstream-harm cautionary case.

Path 4 — Sit on the finding. Do nothing. File the finding in a personal notebook; forget it; hope someone else discovers and fixes it; wait for a later context (e.g., the researcher joins a company that has a relationship with the vendor). The “sit on it” path is the most-common-and-least-discussed grey-hat outcome — many independent researchers accumulate findings they never disclose because the disclosure pathway is too uncertain or the legal exposure too high. The argument for: it minimizes the researcher’s exposure (no vendor relationship to mismanage, no public disclosure to coordinate). The argument against: it leaves the vulnerability exploitable by other adversaries who may discover it independently; the public-safety case favors disclosure; the researcher’s professional development is constrained (the finding doesn’t become a CVE, a conference talk, or a bug-bounty payment).

5.2 The disclosure-decision tree

The decision among the four paths is shaped by a set of structural questions that the practitioner asks in approximately the following order. The decision tree below captures the canonical 2026 working version.

   DISCLOSURE DECISION TREE — schematic.

                              ┌────────────────────────────┐
                              │  Vulnerability discovered  │
                              │  in the course of research │
                              └─────────────┬──────────────┘
                                            │
                                            ▼
              ┌────────────────────────────────────────────────────┐
              │ Q1: Was the research conducted under authorization │
              │     (SOW + Scope + ROE + GOJL, or bug-bounty       │
              │     program + safe-harbor)?                        │
              └────────────────────────────────────────────────────┘
                  │                              │
              YES │                              │ NO
                  ▼                              ▼
        ┌────────────────────┐         ┌──────────────────────────────┐
        │ Report through the │         │ Q2: Does the affected vendor │
        │ authorized channel │         │     have a published Coord.  │
        │ (client report;    │         │     Vuln. Disclosure (CVD)   │
        │ bug-bounty submit) │         │     policy or VDP channel?   │
        └────────────────────┘         └──────────────────────────────┘
                                            │                  │
                                        YES │                  │ NO
                                            ▼                  ▼
                          ┌────────────────────────────┐  ┌────────────────────────────┐
                          │ Submit through the         │  │ Q3: Does the vulnerability │
                          │ published CVD channel.     │  │     affect multiple vendors│
                          │ Track disclosure deadline. │  │     or critical infra?     │
                          └────────────────────────────┘  └────────────────────────────┘
                                       │                       │                  │
                                       │                   YES │                  │ NO
                                       ▼                       ▼                  ▼
                              (proceed to embargo;   ┌──────────────────────┐ ┌──────────────────────────┐
                              monitor patch path)    │ Engage CERT/CC       │ │ Direct vendor outreach   │
                                                     │ as multi-stakeholder │ │ ([email protected] or  │
                                                     │ coordinator. Engage  │ │ CISO contact). Establish │
                                                     │ CISA if U.S. crit.   │ │ disclosure relationship. │
                                                     │ infra; ENISA for EU. │ │ Set deadline.            │
                                                     └──────────────────────┘ └──────────────────────────┘
                                                                │                       │
                                                                │                       │
                                                                ▼                       ▼
                                                     (proceed to coordinated      (Q4: vendor responsive?)
                                                     multi-vendor embargo)              │
                                                                                    YES │   NO
                                                                                        ▼    ▼
                                                                              (proceed)   ┌─────────────────────┐
                                                                                          │ Q5: Escalate within │
                                                                                          │ vendor; engage      │
                                                                                          │ CERT/CC; consider   │
                                                                                          │ legal counsel; if   │
                                                                                          │ no progress at      │
                                                                                          │ deadline, publish.  │
                                                                                          └─────────────────────┘

Figure 19.3 — The disclosure decision tree. The tree captures the canonical 2026 working version of the decision; mature researchers internalize the questions and answer them quickly. The key structural observation: the authorized-research path (left branch from Q1) is structurally different from the unauthorized-research path (right branch), and within the unauthorized branch the published-VDP path is structurally different from the no-published-VDP path. The “sit on it” path (not shown explicitly in the tree) is the default outcome when none of the decision-tree paths are pursued.

5.3 The vendor-unresponsive failure mode

The disclosure-decision tree assumes vendor cooperation. When the vendor doesn’t cooperate — ignores notifications, denies the vulnerability is real, threatens legal action against the researcher, or attempts to coerce silence — the researcher faces a separate set of decisions. The canonical 2026 response sequence:

Document everything. Every email, every response, every silence, with timestamps. The eventual public-disclosure post or the eventual civil-litigation defense will draw on this documentation.
Escalate within the vendor. If the security team’s inbox is unresponsive, try the company’s CISO directly. If the CISO is unresponsive, try executive contacts (general counsel, CTO, CEO). Many uncooperative-vendor scenarios resolve at the executive-escalation layer when the security team is overburdened or under-empowered.
Engage CERT/CC as a neutral coordinator. CERT/CC (Carnegie Mellon Software Engineering Institute) has served as the canonical third-party coordinator for difficult vulnerability-disclosure cases since the late 1980s. The coordinator can sometimes break embargoes that the vendor refuses to engage with through other channels. The CERT/CC Vulnerability Information and Coordination Environment (VINCE) is the modern submission platform.
Engage CISA for vulnerabilities affecting U.S. critical infrastructure or government systems. CISA’s Coordinated Vulnerability Disclosure service²³ is the canonical government-coordinator version. ENISA performs the equivalent function in the EU. The UK’s National Cyber Security Centre (NCSC) plays the equivalent role.
Engage public-interest legal organizations if the vendor’s response involves legal threats. The Electronic Frontier Foundation’s Coders’ Rights Project²⁴ provides legal support to researchers facing vendor pressure. The Open Rights Group plays the analogous role in the UK. The European Digital Rights Initiative (EDRi) is the EU-level analog. Multiple historically-significant cases (Dmitri Sklyarov / DMCA 2001; Aaron Swartz; David Maynor / Michael Lynn / Cisco IOS heap overflow 2005) involved EFF-supported legal defense of researchers.
Public disclosure as the last resort, with the documented record of vendor-uncooperation as the justification. The Project Zero 90-day deadline is the structural innovation that legitimized this approach — the deadline is fixed regardless of vendor cooperation, and the public-disclosure threat motivates vendor engagement that “give us forever to fix it” frameworks did not.

The “vendor is hostile” subcategory is the most legally hazardous — a vendor who responds to disclosure with threats of CFAA prosecution or civil litigation under DMCA § 1201 anti-circumvention provisions or trade-secret statutes (the 2016 Defend Trade Secrets Act adds a federal civil cause of action that has been used against researchers) creates substantial researcher exposure even where the research was constructively motivated. The EFF Coders’ Rights Project and similar organizations are the canonical resources; researchers without legal-support infrastructure are at substantial disadvantage in this scenario.

5.4 Defensive disclosure — disclosing your own systems’ vulnerabilities

A specialized disclosure question that recurs at large organizations: when does the organization itself disclose vulnerabilities it has discovered in its own systems? The historical practice was to disclose only when external pressure forced it; the contemporary practice in mature organizations is to disclose proactively as part of the regular security-communications cadence. The structural arguments for proactive defensive disclosure:

Trust building — customers and partners value transparency about security posture; proactive disclosure of resolved issues demonstrates active security investment.
Regulatory cooperation — in regulated industries (financial services, healthcare, critical infrastructure), proactive disclosure often satisfies regulatory expectations that delayed or reactive disclosure does not.
Patch deployment — for vulnerabilities that customers must patch themselves (firmware updates, software updates, configuration changes), proactive disclosure with clear remediation guidance maximizes patch deployment.
Threat-intelligence reciprocity — organizations that disclose their own vulnerabilities establish reputations that improve their access to other organizations’ disclosures.

The defensive-disclosure practice is operationalized through published security advisories (vendor-specific channels), CVE-assignment-and-publication (through MITRE), and security-team blog posts. Microsoft’s monthly Patch Tuesday cadence is the canonical mature example; Cisco’s PSIRT publications, Apple’s security-update communications, and the Linux kernel security-advisory mailing list are similar.

5.5 The disclosure-paths summary table

Path	Vendor cooperation	Public exposure window	Legal exposure	Typical researcher outcome	Canonical example
Full disclosure	None (or notification simultaneous with publication)	Maximum (no patch window)	Same as underlying research; higher civil exposure than coordinated; “good-faith research” defence harder	Reputation in the full-disclosure community; potential civil litigation; CVE assignment if accepted	Bugtraq-era publications; many Phrack articles; some end-of-life-product disclosures
Coordinated disclosure (vendor-direct)	High; vendor controls patch timeline	Minimal (patch deployed before disclosure, ideally)	Same as underlying research; mitigated by DOJ 2022 policy; civil exposure reduced	Reputation gain; CVE assignment; sometimes a bounty if program established post-hoc	Charlie Miller / Chris Valasek Jeep Cherokee 2015 (vendor coordination produced the recall)
Coordinated disclosure (CERT/CC-mediated)	High; coordinator manages multi-vendor coordination	Minimal	Same as underlying research; CERT/CC provides additional good-faith presumption	Reputation gain; CVE assignment; coordinated public advisory	Dan Kaminsky DNS 2008; Heartbleed 2014; Meltdown/Spectre 2018
Coordinated disclosure (bug-bounty program)	High; program safe-harbor provides contractual authorization	Minimal	Substantially reduced by program scope + safe-harbor language	Cash bounty; reputation in program leaderboard; CVE assignment	Most modern bug-bounty submissions; HackerOne / Bugcrowd ecosystem
Sale to coordinated broker (ZDI)	Brokerage; vendor sees disclosure through broker	Minimal	Similar to direct coordinated disclosure	Cash payment; reputation in broker’s circle; Pwn2Own competition participation	Pwn2Own; ZDI ongoing research-purchase program
Sale to sovereign-customer broker (Zerodium, NSO, Crowdfense)	None; vulnerability typically not disclosed to vendor	Long; depends on downstream use	Same as underlying research; downstream exposure depending on buyer’s use	Substantial cash; reputation in broker’s circle; downstream-harm exposure if buyer’s use becomes public	Zerodium published price list; NSO Pegasus / Khashoggi (2018)
Sit on it	None	None (until rediscovered by others)	Same as underlying research; visibility minimized but evidence persists in researcher’s notes	No outcome; the finding accumulates in personal notes	Largely undocumented; per literature, the modal long-tail outcome
Defensive disclosure (organization’s own systems)	N/A (organization is both researcher and vendor)	Minimal (patch deployed before disclosure)	Minimal; organization controls all parties	Trust building; regulatory cooperation; patch deployment	Microsoft Patch Tuesday; Cisco PSIRT; Apple security updates

Table 19.5 — The disclosure paths in 2026. The eight rows cover the four primary paths (§5.1) plus three bug-bounty / broker / defensive subspecies. The “vendor cooperation” column captures whether the vendor learns about the vulnerability through the disclosure pathway; the “public exposure window” captures the time between disclosure and patch deployment during which the vulnerability is exploitable by other attackers; the “legal exposure” column captures U.S. federal-CFAA exposure as a baseline (state law and international equivalents add parallel exposure); the “typical researcher outcome” column captures what the researcher gets from each path.

6. RF-specific law

The radio-frequency / signaling layer carries its own legal-and-regulatory overlay that does not map cleanly onto the CFAA’s protected-computer framework. Where the CFAA’s reach assumes computers and the network connections between them, RF law assumes spectrum allocation, transmitter licensing, and the wiretap-style restrictions on intercepting communications. This section walks the RF overlay at the depth a 2026 practitioner needs. The reference-cluster volumes (Vol 13 §7, Vol 14 §7, Vol 15 §7) summarize this material and cross-link back here for the full treatment.

6.1 Receive-only spectrum monitoring

The baseline rule in the U.S. for receive-only spectrum monitoring of publicly-transmitted, unencrypted signals is that it is generally legal. The Communications Act of 1934 does not prohibit reception; the Electronic Communications Privacy Act (ECPA) of 1986 explicitly excepted “radio communications that are readily accessible to the general public” from its wiretap prohibitions. The practical effect: a researcher with an RTL-SDR or HackRF passively listening to broadcasts in the 2.4 GHz ISM band, the unlicensed sub-GHz bands, or amateur-radio bands is operating legally for the reception itself.

The exceptions to the “receive is legal” baseline:

Cellular communications (the major exception). The ECPA’s 1986 amendments specifically added cellular communications to the wiretap prohibition (treated at §6.2 below); private operator interception of cellular traffic is prohibited regardless of the signal’s accessibility.
Encrypted radio broadcasts. The ECPA explicitly excludes “readily accessible to the general public” from its definition of protected communications, but the operative definition of “readily accessible” excludes encrypted signals. Decrypting an intercepted communication that one has the right to receive in encrypted form is not, by itself, unauthorized; decrypting a communication one does not have the right to receive is.
Common-carrier communications. 47 U.S.C. § 605 (originally Communications Act § 705) restricts divulgence of intercepted radio communications; the bare reception is unrestricted (subject to ECPA), but disclosure to third parties is.
Specific protected categories. Aviation, public-safety, maritime distress, and various other categories have additional protections beyond the baseline.

The 2026 working assumption for receive-only research against unencrypted publicly-transmitted signals (consumer remote controls, IoT sensors, garage-door openers, weather-station beacons, TPMS broadcasts, the unencrypted side of various sub-GHz protocols) is legal, modulo state-law variations. The detailed legal frame for the reference-cluster volumes — RTL-SDR / HackRF / Flipper Zero / Proxmark3 reception work — is at Vol 13 §7 and Vol 15 §7.

6.2 ECPA 1986 — the cellular wiretap addition

The Electronic Communications Privacy Act of 1986 (ECPA), 18 U.S.C. § 2510 et seq., is the U.S. federal wiretap statute as expanded for the post-1986 communications environment. ECPA’s 1986 amendments added two consequential layers to the 1968 Wiretap Act framework²⁵:

The “electronic communication” category was added to extend the Wiretap Act’s coverage from wire/oral communications to communications via electronic means. This brought email, computer-to-computer traffic, and later internet communications under the wiretap framework.
Cellular communications were specifically brought under the Wiretap Act’s prohibitions — § 2511(1)(a) makes it a federal crime to intentionally intercept any wire, oral, or electronic communication, with cellular communications expressly included.

The cellular-interception prohibition is the part of ECPA that most directly affects RF tradecraft. A practitioner with an SDR who happens to receive an unencrypted cellular control-channel broadcast (in the early-2000s GSM era these were common) faced ECPA exposure for the interception itself; the modern LTE / 5G environments use encrypted control channels, removing the easy-interception case but leaving the framework intact for any future cleartext exposure.

The IMSI catcher (Stingray) dimension was treated at Vol 13 §7 and Vol 14 §7. The 2018 Supreme Court decision in Carpenter v. United States, 585 U.S. 296 (2018), 138 S. Ct. 2206, established that federal law enforcement use of cell-site location information requires a warrant under the Fourth Amendment — but the decision addressed government use, not private use. Private operation of an IMSI catcher to intercept cellular traffic remains an ECPA § 2511(1)(a) violation regardless of the operator’s purpose; the Rayhunter defensive-detection firmware (Vol 13 §7 cross-reference) is the canonical “detect Stingrays in the field” tool, and its receive-only posture is what makes it legal.

6.3 47 U.S.C. § 605 — disclosure restrictions

The Communications Act of 1934 § 705, codified at 47 U.S.C. § 605, restricts divulgence of intercepted radio communications. The statute is older than the modern wiretap framework; its text reflects the 1934-era regulatory concerns (the protected category was originally interstate-commerce wire communications and radio communications). The operative reach for 2026 practitioners:

The statute prohibits any person from “divulg[ing] or publish[ing] the existence, contents, substance, purport, effect, or meaning” of intercepted radio communications except through authorized channels.
The prohibition is on divulgence, not on reception. A practitioner who receives a radio communication but does not disclose it does not violate § 605.
The “authorized channels” exception covers reception by intended recipients, by authorized law-enforcement personnel, and (notably) by amateur-radio operators acting in their licensed role.
The statute predates ECPA and operates in parallel; many cases that could be charged under ECPA can also be charged under § 605.

The practitioner takeaway: the reception is often legal but the disclosure may not be. A researcher who intercepts a sub-GHz IoT sensor’s broadcast can listen to it without § 605 exposure; publishing the captured content in a blog post or conference talk implicates the disclosure prohibition. The exception that practitioners typically rely on is that anonymized analysis of protocols (e.g., “this is how the Hitag2 immobilizer challenge-response works”) is structurally different from disclosure of specific communications (e.g., “here is the captured payload of vehicle XYZ’s challenge-response exchange”) — the former is protocol research, the latter is content disclosure.

6.4 FCC regulations — Parts 15, 95, 97

The Federal Communications Commission’s regulations partition the U.S. spectrum into licensed and unlicensed bands and establish the operating rules for each. The relevant parts for security practitioners²⁶:

Part 15 — Radio Frequency Devices. Governs unintentional radiators (devices that emit RF as a byproduct, like computers and switching power supplies) and intentional radiators (devices designed to emit RF, like Wi-Fi access points, Bluetooth radios, and cordless phones). The Part 15 framework allows unlicensed operation of low-power transmitters in specific bands subject to specific power, frequency, and duty-cycle limits. The canonical practitioner-relevant subparts:
- Part 15.231 — periodic operation in the band 40.66–40.70 MHz and above 70 MHz. The framework for unlicensed sub-GHz transmitters in the 315/433/868/915 MHz ISM bands.
- Part 15.247 — operation within the bands 902–928 MHz, 2400–2483.5 MHz, and 5725–5850 MHz. The framework for Wi-Fi, Bluetooth, and many other 2.4 GHz / 5 GHz unlicensed devices.
- Part 15.249 — operation within the bands 902–928 MHz, 2400–2483.5 MHz, 5725–5875 MHz, and 24.0–24.25 GHz. The lower-power framework for many consumer remote controls and IoT devices.
Part 95 — Personal Radio Services. Governs CB radio, FRS / GMRS (the consumer hand-held radio services), MURS (the multi-use radio service), and the various other personal-radio frameworks. Some of these require licensing (GMRS); some do not (FRS, MURS within power limits).
Part 97 — Amateur Radio Service. Governs amateur (ham) radio operation. Transmitting in amateur bands requires an FCC-issued amateur-radio license (Technician, General, or Extra class in the U.S.). The licensing exam process is straightforward but the licensing requirement is operationally significant for practitioners who want to legally transmit in HF / VHF / UHF amateur allocations.
Part 90 — Private Land Mobile Radio Services. Governs business-band and public-safety land-mobile radio. Requires licensing for transmit.
Part 80 — Stations in the Maritime Services. Governs marine VHF and other maritime allocations. Some bands require licensing.

The transmit-vs-receive distinction is the dominant variable. Receive-only operation in any band is generally permissible under FCC rules (subject to ECPA / § 605 restrictions on disclosure); transmit operation requires either operation under Part 15’s unlicensed-device framework (with strict power, frequency, and duty-cycle limits) or the relevant license for the allocated service.

6.5 47 U.S.C. § 333 — willful interference

The single most-relevant federal statute for practitioners who transmit is 47 U.S.C. § 333, which prohibits willful or malicious interference with any radio communications of any station licensed or authorized under the Act. Section 333 is the operative provision for:

Wi-Fi deauthentication injection — sending forged 802.11 deauthentication frames to disconnect clients from access points. The technique is technically possible with any 802.11 radio in monitor mode + injection; the legal characterization is willful interference with the affected station’s licensed-or-authorized communications. The FCC’s October 3, 2014 enforcement advisory²⁷ explicitly cited § 333 in its $600,000 forfeiture against Marriott Hotel Services for deploying deauthentication-based blocking against guests’ personal hotspots; subsequent enforcement actions (Smart City Holdings 2015; multiple smaller cases) have followed the same framework.
Spoofing of broadcast services — transmitting on frequencies allocated to broadcast services with the intent to disrupt the legitimate broadcast.
GPS jamming or spoofing — operating against the GPS L1/L2/L5 frequencies in ways that disrupt legitimate GPS reception. The FCC has been particularly aggressive on GPS interference; the GPS jammer market (sold openly online despite illegality) has generated dozens of enforcement actions.
Cellular jamming — operating against cellular bands. The legal exposure includes both § 333 (interference) and ECPA § 2511 (where the jamming is associated with interception).

The penalties for § 333 violations are substantial — civil forfeiture up to $20,000 per day per offense (per FCC’s Rules), criminal exposure under 47 U.S.C. § 502, and in some cases federal-court enforcement that can produce substantially larger fines. The Marriott $600,000 forfeiture was the canonical 2010s case; subsequent enforcement has been less publicized but no less aggressive.

6.6 Replay attacks against systems you don’t own — CFAA + state law overlap

A specific scenario that recurs in RF tradecraft: a researcher captures an RF transmission from a system they don’t own (a car remote, a garage-door opener, a building-access badge reader broadcast), then replays the captured signal to demonstrate the protocol is vulnerable. The legal framing depends on what the target system is and whose authorization governs:

The actor’s own systems (the researcher’s own car, garage door, building badge). Receive and replay are legal; this is the canonical lab posture.
Another individual’s consumer systems (the neighbor’s car, the friend’s garage). The transmission is unauthorized access to the target system’s controller; the framing is CFAA if the controller is a “protected computer” (most modern car immobilizer ECUs are) and state-law trespass / theft regardless of the CFAA framing. The technical signature is identical to the legitimate user’s use; the legal characterization is unauthorized access.
Commercial-vehicle / fleet systems (a delivery van’s remote-start system; a rental-car company’s fleet remote). Same framing as individual consumer systems plus potential corporate-property and trade-secret implications.
Building-access systems (workplace badge readers; apartment-building entry; gated-community access). Same CFAA framing if the access controller is a protected computer (most modern building-access controllers are) plus state-law trespass / burglary if entry is achieved.
Critical-infrastructure systems (utility-grid remote terminals; transportation-control systems). All of the above plus the critical-infrastructure-aggravation factors under § 1030(a)(5)(A) (life imprisonment if death/serious injury results) and the Critical Infrastructure Information Act protections.

The detailed RFID / NFC treatment is at Vol 15 §7 — the badge-cloning scenario is the canonical case that the volume treats at depth. The general principle is that the antenna does not change the legal framing: cloning a credential and using it to enter a system without authorization is unauthorized access regardless of whether the cloning was done with a Proxmark3 or with a copy of a key.

Spectrum is regulated; capability is not consent — load-bearing callout. The fact that an SDR can transmit on a frequency does not authorize transmission on that frequency; the fact that a Flipper Zero can clone an RFID badge does not authorize cloning a third-party’s badge; the fact that a WiFi Pineapple can perform a deauthentication attack against any 802.11 station does not authorize doing so against networks the operator does not control. The technical capability is uniform across all three Axis-1 stances of Vol 8 §3.4 (white / grey / black); the legal authorization is what discriminates. RF tradecraft is the most easily-tested-in-the-field domain of the entire series — a sub-GHz capture, a Wi-Fi handshake, a badge clone produce identical wire signatures whether the operator has a signed engagement scope or is simply curious — and that field-testability is precisely what makes the legal-framework discipline most important. The reference-cluster volumes (Vol 13, Vol 14, Vol 15) each carry this callout in their §7 sections; the canonical version of the discipline is own the hardware (CFAA-clean baseline) and carry written, signed, scoped authorization for everything else. The lab-discipline baseline at ../../_shared/legal_ethics.md covers the working rules for every tool in the Hack Tools hub. Capability is not consent. Receive-only research in unencrypted publicly-transmitted bands is generally legal; transmit is heavily regulated; replay against systems the operator doesn’t own is CFAA + state-law exposure regardless of intent.

6.8 The RF-law-by-band summary table

Band	FCC framework	RX (receive) baseline	TX (transmit) baseline	Notable additional layers
LF RFID (125 kHz)	Part 15.31	Legal	Part 15 power limits; reader operation generally permitted	Cloning third-party credentials: CFAA + state-law unauthorized access
HF RFID / NFC (13.56 MHz)	Part 15.225	Legal	Part 15 power limits; reader operation generally permitted	Cloning third-party credentials: CFAA + state-law; payment-card systems implicate PCI + EMV-fraud-statute layers
Sub-GHz ISM (315 / 433 / 868 / 915 MHz)	Part 15.231 / 15.247 / 15.249	Legal	Power + duty-cycle limits per subpart	Replay against rolling-code or fixed-code remotes for systems not owned: CFAA + state law; § 333 if interference framing applies
Amateur HF / VHF / UHF	Part 97	Legal	Requires amateur-radio license (Technician/General/Extra in U.S.)	The licensed-amateur framework has its own internal rules (no business communications; no encryption; identification requirements)
Cellular (700 MHz / 800 / 850 / 900 / 1800 / 1900 / 2100 / 2300 / 2500 / 2600 MHz + 5G NR bands)	Part 22 / 24 / 27 (licensed exclusive)	ECPA § 2511 prohibits interception of cellular communications (regardless of bare reception)	Transmit requires carrier license; IMSI catcher operation by private parties is ECPA + 47 U.S.C. § 333	Rayhunter (Vol 13 §7) is the canonical defensive-detection tool — its receive-only posture is what makes it legal
Wi-Fi 2.4 GHz (ISM)	Part 15.247	Legal (open networks; encrypted networks decoded with key access)	Part 15 limits; deauth injection against third-party stations: § 333 willful interference (Marriott $600K precedent)	Capturing handshakes from networks not owned: undermapped; some state wiretap statutes have aggressive readings
Wi-Fi 5 GHz / 6 GHz (U-NII)	Part 15.407	Legal	Part 15 limits; DFS requirements for 5 GHz bands; deauth injection: § 333
Bluetooth / BLE (2.4 GHz)	Part 15.247	Legal	Part 15 limits	Active interrogation of unowned devices: CFAA framing depends on the device
GPS L1/L2/L5	Receive-only consumer use	Legal (receive only)	Transmit prohibited; jamming / spoofing prohibited under § 333; FCC aggressive on enforcement	Critical-infrastructure aggravation if GPS-dependent systems (aviation, maritime) affected
ADS-B (1090 MHz)	Aviation Part 87	Legal	Transmit requires aviation certification	Spoofing implicates aviation-safety statutes in addition to § 333
Marine VHF (156–162 MHz)	Part 80	Legal	Requires Marine Radio Operator Permit (MROP) for transmit; jamming / spoofing implicates SOLAS + state-maritime statutes	Distress-frequency interference carries criminal exposure under aviation/maritime safety statutes
Public-safety bands (varies)	Part 90	Legal (subject to state-law exceptions in some jurisdictions)	Transmit prohibited without specific authorization	Some states criminalize even receive of certain public-safety frequencies

Table 19.6 — The RF-law-by-band summary. The “RX baseline” and “TX baseline” columns capture the federal-law operating envelope as a starting point; state law adds parallel layers that vary substantially (the Wi-Fi capture / wiretap interaction is the most-undermapped area). The “Notable additional layers” column flags the cases where the bare RX/TX baseline understates the operational risk. Reference-cluster volumes that treat each row in depth: Vol 13 for sub-GHz / amateur / SDR generally; Vol 14 for Wi-Fi / BLE; Vol 15 for LF/HF RFID / NFC and access-control systems. Tool-specific deep dives that cross-link here: HackRF One deep dive, Flipper Zero deep dive, WiFi Pineapple deep dive, Rayhunter deep dive (when authored), Proxmark3 RDV4 deep dive (when authored).

7. Ethical frameworks

The law is the floor; ethics is what sits above. A practitioner whose conduct is legally clean can still operate unethically — and conversely, the most-ethical conduct in some grey-zone areas may exceed the legal envelope. This section walks the ethical frameworks that mature practitioners use to think about the layer of practice that sits above the legal minimum. The frameworks treated here are: the professional-code layer (the certifications that include ethical commitments), the medical-ethics analog (do no harm), the community-norms layer (bug-bounty / disclosure ethics from the field), the whistleblower-protection framework (when an employee discovers internal misconduct), and the personal-ethical-line framework (the practitioner’s individual posture beyond all of the above).

7.1 Professional codes — the certification-attached ethics frameworks

Several of the major security certifications carry ethics codes that members must adhere to as a condition of continued certification. The principal codes:

(ISC)² Code of Ethics²⁸. The (ISC)² certifications (CISSP, CCSP, SSCP, CSSLP, HCISPP, others) carry a four-canon code: “Protect society, the common good, necessary public trust and confidence, and the infrastructure.” / “Act honorably, honestly, justly, responsibly, and legally.” / “Provide diligent and competent service to principals.” / “Advance and protect the profession.” Violations are adjudicated through an ethics-complaint process administered by (ISC)²’s Ethics Committee; sanctions include certificate revocation.
EC-Council Code of Ethics²⁹. The EC-Council certifications (CEH, ECSA, LPT, CHFI, others) carry a multi-clause code that includes commitments to: keep private and confidential information confidential; perform engagement work professionally; disclose to appropriate persons or authorities the discovery of vulnerabilities; not engage in deceptive financial practices; not be involved with malicious software activity; maintain authorization and obtain permission; protect intellectual property of others. Violations are adjudicated through EC-Council’s ethics process; sanctions include certificate revocation.
ISACA Code of Professional Ethics³⁰. The ISACA certifications (CISA, CISM, CRISC, CGEIT, CDPSE, others) carry a seven-element code emphasizing support for standards and procedures; performance of duties with objectivity, due diligence and professional care; service in the public interest while maintaining the highest standards of conduct; maintenance of competency; provision of services in compliance with professional standards; cooperation with investigations; appropriate disclosure of information to clients. Violations are adjudicated through ISACA’s Ethics Committee.
SANS GIAC Code of Ethics³¹. The SANS GIAC certifications (GCIH, GPEN, GWAPT, GSE, others) carry an ethics code that members affirm at certification and at renewal; includes commitments to confidentiality, lawful conduct, professional behavior, and continued education.
OffSec Ethics³². OffSec’s certifications (OSCP, OSEP, OSWE, others) include ethics commitments built into the certification-renewal cycle; the framework is less formal than the membership-organization codes above but is part of the certification’s continuing-requirements.

The structural commitment that all of these codes share: the certificate-holder is responsible for ethical conduct beyond the immediate engagement. The professional codes establish that a CISSP or CEH or CISM holder is committed to a standard of conduct that the law alone does not require — and the certificate-revocation sanction provides a meaningful professional consequence for violations.

The codes are not, however, substitutes for legal advice or for an internal ethical framework. They function as minimum professional ethics standards; mature practitioners typically operate well above these minimums.

7.2 The “do no harm” frame — security-research norms borrowed from biomedical research

The biomedical-research ethics framework — primarily the Belmont Report (1979) and the Nuremberg Code (1947), operationalized through Institutional Review Board (IRB) oversight in the U.S. and similar bodies internationally — has been informally adopted by parts of the academic-security-research community as a normative framework for security research that affects users or systems beyond the researcher’s own. The principal principles imported:

Respect for persons — the autonomy of individuals whose systems or data are studied. In biomedical research this implies informed consent; in security research the analog is that research touching user data is conducted with appropriate disclosure and consent where possible, anonymization where consent is impractical, and minimization of data retained.
Beneficence — the obligation to maximize benefits and minimize harms. The “do no harm” subprinciple is operationalized as: the harm risk from the research method must be proportionate to the security insight gained. A live-production detonation of ransomware on a file server to “prove ransomware risk” fails this test catastrophically; a controlled laboratory reproduction of the same risk passes.
Justice — equitable distribution of research burdens and benefits. The analog in security research: the researcher does not preferentially burden vulnerable populations (e.g., publishing exploits that disproportionately affect users with weaker security postures) without commensurate benefits.

The academic-security-research community has, since the early 2010s, increasingly adopted research-ethics review for studies that affect non-consenting users — the Menlo Report (2012) is the canonical security-research-specific adaptation of the Belmont Report³³. Major academic security conferences (USENIX Security, NDSS, IEEE S&P, ACM CCS) increasingly require ethics-statement sections in submissions and reject papers that fail to meet community-developed ethical standards.

For the practitioner-research reading: the Belmont / Menlo framework is the operative one to apply when research moves beyond the researcher’s own infrastructure to studies of real systems or users. The framework is not statutorily required but is the community-norm standard; conference acceptance, peer-publication, and professional reputation increasingly depend on adherence.

7.3 Bug-bounty community norms — the field-developed standard

The bug-bounty community (HackerOne, Bugcrowd, Intigriti, Synack, and the company-direct programs) has developed a community-norms framework that operates above the platform-mandated minimums. The norms cover both researcher conduct (toward the program and toward affected users) and program conduct (toward the researchers).

Researcher-side norms:

Stop at proof-of-concept demonstration. The discipline that has emerged is: demonstrate the vulnerability with the minimum exploitation needed to prove the finding. The Maya composite in Vol 8 §5.1 illustrates this — Maya tests the IDOR against her own-created accounts, demonstrates the bypass works, and stops without retrieving any real customer data. The norm is widely adopted in the mature bug-bounty community.
Minimize data retention. Data retrieved during PoC demonstration is retained only for the duration of the disclosure cycle and deleted after the program confirms remediation.
Avoid live-production disruption. Where the testing might affect production users, schedule testing for low-traffic windows; coordinate with the program team before potentially-disruptive testing.
Don’t pivot to other systems. Findings against the in-scope system are reported as findings; the researcher does not use the finding as a springboard to test out-of-scope adjacent systems.
Engage in good-faith with program-team determinations. When the program team disagrees with the researcher’s finding-classification, the researcher engages in respectful clarification rather than escalation; when the disagreement is irreconcilable, the researcher accepts the determination and moves on.

Program-side norms (less consistently adopted, but the standards mature programs aspire to):

Respond promptly to submissions. Mature programs commit to acknowledgment within 24–48 hours and triage within a week. Unresponsive programs damage the entire ecosystem.
Pay fairly and consistently. The pay-out scale for findings of similar severity should be consistent; gaming the categorization to underpay researchers is a recurring program-side ethics failure.
Communicate transparently about remediation timelines. The researcher who has submitted a finding has a legitimate interest in knowing when (and whether) the finding will be remediated.
Honor safe-harbor commitments. Programs that publish safe-harbor language and then pursue legal action against researchers who operated within scope damage the entire community-trust framework.

The bug-bounty community-norms framework is enforced primarily through reputation — researchers and programs that violate the norms lose standing in the community; the platforms (HackerOne, Bugcrowd) maintain reputation-related metrics that affect program visibility and researcher placement. The community is small enough that violations propagate quickly.

7.4 Whistleblower frameworks — when an employee discovers internal misconduct

A category that recurs in the security-research community: an employee discovers, in the course of their work, that their employer is engaged in misconduct — security misconduct (cover-up of a breach; deliberate weakening of customer-facing security), legal misconduct (illegal surveillance; sanctions violations), or ethical misconduct (misuse of customer data). The legal framework for whistleblowing in the U.S. is principally:

Sarbanes-Oxley § 806 (the SOX whistleblower-protection provision). Protects employees of publicly-traded companies from retaliation for reporting suspected fraud or securities violations to federal authorities, congressional committees, or supervisors. Provides a private cause of action and remedies including reinstatement and back pay.
Dodd-Frank § 922 (the Dodd-Frank whistleblower provision, applicable to securities violations). Provides for monetary awards to whistleblowers whose information leads to SEC enforcement actions; offers anti-retaliation protections that complement SOX.
The False Claims Act (31 U.S.C. § 3729 et seq.). Provides for qui tam actions where a whistleblower files a lawsuit on behalf of the government for fraud against federal programs; the whistleblower receives a percentage of any recovery.
The Defense Federal Acquisition Regulation Supplement (DFARS) — protection for whistleblowers in the defense-industrial base.
State-law whistleblower protections — substantially varying by state.

The cybersecurity-specific whistleblower context is less developed than the financial-fraud context but has become more prominent through high-profile cases (the Joseph “Joe” Sullivan / Uber prosecution following the 2016 Uber breach cover-up; the Twitter / X-corp Mudge whistleblower complaint from 2022 led by former Twitter Head of Security Peiter Zatko). The Sullivan prosecution resulted in a federal conviction for obstruction of justice and misprision of a felony — the first conviction of a corporate security officer for breach-related conduct³⁴ — establishing that the post-breach handling can be more legally consequential than the breach itself. The March 2025 Ninth Circuit affirmance made Sullivan’s conviction final and removed any remaining “the conviction might still get vacated on appeal” caveat to the precedent.

For the practitioner-employee whose discoveries implicate employer misconduct, the working framework: legal counsel before disclosure. The whistleblower-protection statutes are powerful but procedurally complex; the employee whose disclosure follows a recognized procedure (SOX § 806 procedures; Dodd-Frank SEC-whistleblower procedures; qui tam filings) receives substantially better protection than the employee who simply discloses publicly. The Electronic Frontier Foundation, the Government Accountability Project, and similar organizations are starting resources for practitioners considering whistleblowing.

7.5 The personal ethical line — beyond all of the above

The deepest ethical question for a practitioner is the personal-ethical-line question — what work the practitioner will not take, regardless of the law, the contract, the bounty, or the professional advancement. The question recurs across the practitioner community in conference talks, podcast interviews, and personal-essay writing; the canonical phrasings:

“I don’t take pentest engagements for [X type of client].” Common exclusions in the public-record practitioner discourse: surveillance-tool vendors (NSO, Cellebrite, the broader sovereign-customer market); private-prison operators; specific industry verticals where the practitioner’s own ethical concerns rule out engagement (oil-and-gas in some climate-aware practitioners; pharmaceutical-pricing for some healthcare-ethics-oriented practitioners; defense contractors for pacifist practitioners). The exclusion is a personal-ethical decision the practitioner makes; the firm-level analog is the “what clients do we accept” question that mature consultancies confront in their business-development pipeline.
“I don’t publish exploits for specific categories of vulnerability.” Common exclusions: vulnerabilities in medical devices that cannot be defensively responded to by users; vulnerabilities in voting systems where the public-disclosure value is unclear given the patch path; vulnerabilities affecting specific vulnerable populations.
“I don’t sell to brokers.” The grey-hat practitioner who declines to sell to Zerodium-class brokers regardless of the price is operating from personal ethics that exceed the legal and the community-norm minimums.
“I don’t accept payment in cryptocurrency for engagements.” Some practitioners exclude crypto payment regardless of client wishes; the rationale is sometimes regulatory (KYC concerns), sometimes ethical (energy-use, sanctions-evasion concerns).

The personal-ethical-line framework is deeply individual and the practitioner discourse generally resists prescriptive framings. The shared observation across the literature is that the question recurs throughout a career — practitioners who do not actively answer it for themselves typically drift into engagements they would not have accepted with deliberate consideration. The discipline of having an answer matters more than the specific content of the answer.

7.6 The ethical-frameworks summary table

Framework	Source	Operative on	Enforcement mechanism	Operating-envelope position
(ISC)² Code of Ethics	(ISC)² certification membership	Holders of CISSP, CCSP, SSCP, CSSLP, others	Ethics-complaint process; certificate revocation	Above legal minimum; below personal
EC-Council Code of Ethics	EC-Council certification membership	Holders of CEH, ECSA, CHFI, others	Ethics-complaint process; certificate revocation	Above legal minimum; below personal
ISACA Code of Professional Ethics	ISACA certification membership	Holders of CISA, CISM, CRISC, others	Ethics-complaint process; certificate revocation	Above legal minimum; below personal
SANS GIAC Code of Ethics	SANS GIAC certification	Holders of GIAC certifications	Affirmation at certification + renewal	Above legal minimum
OffSec ethics commitments	OffSec certification	Holders of OSCP, OSEP, OSWE, others	Built into certification renewal	Above legal minimum
Belmont Report / Menlo Report	Biomedical-research ethics adapted for security research	Academic-security-research community; increasingly applied to industry research	Conference acceptance; peer-publication review; community reputation	Above legal minimum; defines research-on-non-consenting-users standards
Bug-bounty community norms	HackerOne / Bugcrowd / Intigriti community practice	Bug-bounty researchers and programs	Reputation; platform-leaderboard standing; community ostracism	Above platform-mandated minimum
SOX § 806 / Dodd-Frank / FCA qui tam	Federal whistleblower statutes	Employees of publicly-traded companies (SOX); broader (DFR/FCA)	Federal litigation; private causes of action	Legal-protection framework for whistleblowers
The personal-ethical line	Individual practitioner	The practitioner themselves	Self-discipline; long-run career and reputational consequences	Above all of the above; the practitioner’s actual operating ceiling

Table 19.7 — Ethical-frameworks reference. The frameworks scale from the legally-required (none in this table — the law is the floor) through the professionally-required (the certification codes) through the community-normative (bug-bounty norms, Menlo Report) to the individually-elective (the personal-ethical line). Mature practitioners typically operate above all of the framework minimums simultaneously; the framework-stack is not hierarchical but layered. The combined effect of the layered framework is the operating posture that distinguishes a mature security professional from a technically-equivalent but ethically-naive operator.

8. Cross-reference index

This section catalogs Vol 19’s contribution to the canonical anchor index (the full machine-readable index is in Vol 21). The H2 headings in this volume are frozen — every other volume in the series has inbound links pointing to these anchors; renaming any of them silently breaks the inbound links.

8.1 Frozen H2 anchors in this volume

Anchor	Section	Heading text	Cross-deep-dive link form
`vol19-about-this-volume`	§1	About this volume	`HackerTradecraft_Complete.html#vol19-about-this-volume`
`vol19-cfaa-in-depth`	§2	CFAA in depth	`HackerTradecraft_Complete.html#vol19-cfaa-in-depth`
`vol19-international-equivalents`	§3	International equivalents	`HackerTradecraft_Complete.html#vol19-international-equivalents`
`vol19-authorization-in-practice`	§4	Authorization in practice	`HackerTradecraft_Complete.html#vol19-authorization-in-practice`
`vol19-disclosure-ethics`	§5	Disclosure ethics	`HackerTradecraft_Complete.html#vol19-disclosure-ethics`
`vol19-rf-specific-law`	§6	RF-specific law	`HackerTradecraft_Complete.html#vol19-rf-specific-law`
`vol19-ethical-frameworks`	§7	Ethical frameworks	`HackerTradecraft_Complete.html#vol19-ethical-frameworks`
`vol19-cross-reference-index`	§8	Cross-reference index	`HackerTradecraft_Complete.html#vol19-cross-reference-index`
`vol19-resources`	§9	Resources	`HackerTradecraft_Complete.html#vol19-resources`

8.2 Inbound-link index — where other volumes reference this one

From	To	Subject of the reference
Vol 1 §1 (legal-line introduction)	§1	Series-level framing for the legal layer
Vol 1 §3 (reading-path recommendations)	§1, §2	Reading path for disclosure researchers, SOC roles, hat-specific deep dives
Vol 1 footnote `cfaa`	§2	CFAA framing reference
Vol 3 §4 (CFAA history)	§2	Historical context handing off to current treatment
Vol 3 §7 (EFF founding)	§5	EFF Coders’ Rights Project framing
Vol 4 §3 (disclosure wars history)	§5	Historical context for disclosure-paths discussion
Vol 5 §5 (BlueHat)	§5	Microsoft BlueHat program’s coordinated-disclosure context
Vol 6 §1 (white-hat authorization callout)	§2, §4	The CFAA framing and the SOW + Scope + ROE + GOJL stack
Vol 6 §9 footnote `cfaa-statute`	§2	CFAA statutory walkthrough reference
Vol 7 §1 (black-hat CFAA framing)	§2, §3	Stacked-charges geometry; international scene
Vol 7 §6 (criminal economy)	§3	International-extradition geometry
Vol 8 §1 (grey-hat CFAA framing)	§2, §3, §4, §5	The “intent is not a defense” framing; the full legal context
Vol 8 §3.2 (RF parallel for grey-hat)	§6	Wi-Fi probing legal layer
Vol 8 §4 (disclosure decision point)	§5	The four-path decision tree
Vol 8 §9 footnote `cfaa`	§2	CFAA reference
Vol 9 §6 (green-hat hiring)	§2	Authorization framing for entry-level practitioners
Vol 10 §1 (blue-hat boundary)	§4, §6, §7	Cross-organization investigation authorization; hack-back legal; data-protection geometry
Vol 10 §8.3 (do-not-hack-back callout)	§6	Hack-back legal framing
Vol 11 §1.1 (red-hat vigilante exclusion)	§6	Vigilante legal framing
Vol 11 §3.6 (red-team physical entry)	§4	Engagement-paperwork stack
Vol 12 §8 (purple-team legal context)	§4, §7	CFAA framing for authorized defensive work; data-protection geometry
Vol 13 §7 (sub-GHz / SDR legal)	§6	TX-vs-RX legal baseline
Vol 14 §7 (Wi-Fi / BLE legal)	§6	Marriott / Smart City Holdings / Joffe v. Google enforcement cases
Vol 15 §7 (RFID / NFC legal)	§6	Badge-cloning legal framing
Vol 16 §7 (computer-hacking tradecraft legal)	§2, §4	CFAA / ECPA / state-statute framework
Vol 17 §7 (SE tradecraft legal)	§2, §4	Statutory framework for SE-related offences
Vol 18 §1 (career-context legal forward-ref)	§4	Offer-letter and consulting-agreement contractual layer
Vol 20 §1 (cheatsheet — disclosure decision card)	§5	Disclosure flowchart card
Vol 20 §9 (volume-question index)	§2, §4, §5	”What does CFAA § (a)(2) say?” lookups
Vol 21 §3 (canonical anchor index)	All sections	Full machine-readable anchor table
`../_shared/legal_ethics.md` (Hack Tools project-wide legal baseline)	All sections	Hub-wide framing this volume expands

Table 19.8 — Inbound-link index for Vol 19. The 30+ inbound-link rows make this the most-cross-referenced single volume in the series. The frozen-anchor discipline (catalogued in §8.1) is what makes the inbound links resolve; renaming any of the §1–§9 headings would silently break the entire table.

8.3 Outbound cross-references — where this volume points

To	Subject
Vol 3 §4	CFAA historical context (the 1986 enactment, the predecessor CADCFAA, the legislative history)
Vol 3 §5	Morris prosecution as the foundational CFAA case
Vol 4 §3	Disclosure-wars historical context (Bugtraq → responsible-disclosure → 90-day-norm arc)
Vol 4 §3.3	Exploit-broker market structure (ZDI, Zerodium, NSO, Crowdfense)
Vol 4 §5	Bug-bounty economy history and the platform safe-harbor framework
Vol 6 §1	White-hat authorization stack (SOW + Scope + ROE + GOJL)
Vol 7 §6.4	OFAC / IEEPA sanctions framework
Vol 8 §1	Grey-hat boundary and the “no intent carve-out” framing
Vol 8 §4	Grey-hat disclosure decision lifecycle
Vol 8 §7.4	Auernheimer / weev case (vacated on venue grounds)
Vol 13 §7	SDR / sub-GHz legal-and-regulatory summary
Vol 14 §7	Wi-Fi / BLE legal-and-regulatory summary
Vol 15 §7	RFID / NFC legal-and-regulatory summary
HackRF One deep dive	SDR hardware and capability reference
Flipper Zero deep dive	Sub-GHz / RFID / NFC handheld reference
WiFi Pineapple deep dive	Wi-Fi audit platform reference
Rayhunter deep dive (when authored)	IMSI catcher detection — defensive RF tool
Proxmark3 RDV4 deep dive (when authored)	RFID / NFC lab reference
`../../_shared/legal_ethics.md`	Hack Tools project-wide legal baseline

Table 19.9 — Outbound cross-references from Vol 19. The volume serves as a hub for the legal framing across the entire series; the outbound links connect to historical context (Vols 3–4), to the engagement-paperwork detail (Vol 6), to the grey-hat disclosure treatment (Vol 8), to the reference-cluster RF-specific layers (Vols 13–15), and to the Hack Tools deep dives that operate under these legal frameworks.

9. Resources

9.1 Primary U.S. statutory and policy sources

9.2 Van Buren and post-Van Buren commentary

9.3 International statutory sources

9.4 RF / wiretap / interference statutory sources

9.5 Disclosure-framework references

9.6 Ethics frameworks

9.7 Hack Tools cross-references

Vol 1 §1 — Series-level legal-line framing
Vol 3 §4 — CFAA historical context (1986 enactment + amendment trajectory)
Vol 3 §5 — Morris prosecution as the foundational CFAA case
Vol 4 §3 — Disclosure-wars history (Bugtraq → responsible → 90-day)
Vol 4 §5 — Bug-bounty economy and safe-harbor framework
Vol 6 §1 — White-hat authorization stack
Vol 7 §1 — Black-hat CFAA framing
Vol 7 §6 — Criminal economy and sanctions framework
Vol 8 §1 — Grey-hat boundary and the no-intent-carve-out
Vol 8 §4 — Grey-hat disclosure decision lifecycle
Vol 10 §8.3 — Hack-back / active-defense legal callout
Vol 13 §7 — SDR / sub-GHz legal summary
Vol 14 §7 — Wi-Fi / BLE legal summary
Vol 15 §7 — RFID / NFC legal summary
Vol 16 §7 — Computer-hacking-tradecraft legal summary
Vol 17 §7 — SE tradecraft legal summary
Vol 18 §1 — Career-context legal forward-reference
../../_shared/legal_ethics.md — Hack Tools project-wide legal baseline

Electronic Frontier Foundation, Coders’ Rights Project. https://www.eff.org/issues/coders. The EFF provides legal support to researchers facing vendor or government legal pressure; historically-significant defenses include Dmitri Sklyarov / DMCA 2001, the Felten Princeton v. SDMI case 2001, the Aaron Swartz defense, the Marcus Hutchins defense (2017–2019), and many others. ↩
Computer Fraud and Abuse Act, 18 U.S.C. § 1030. Current text via the Cornell Legal Information Institute: https://www.law.cornell.edu/uscode/text/18/1030. The U.S. Code is updated by the Office of Law Revision Counsel of the U.S. House of Representatives; the LII text is the canonical machine-readable version with statutory cross-references resolved. The CFAA’s enactment history (Pub. L. 99-474, 1986) and amendment trajectory are summarized in Vol 3 §4. ↩
The breadth of “information” under § 1030(a)(2) has been litigated repeatedly. The dominant reading: viewing on-screen output suffices; no exfiltration to external storage is required for the “obtain” element to be satisfied. Cases: Theofel v. Farey-Jones, 359 F.3d 1066 (9th Cir. 2004); EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001). ↩
Van Buren v. United States, 593 U.S. 374 (2021), No. 19-783; 141 S. Ct. 1648. Decided June 3, 2021. Majority opinion by Justice Amy Coney Barrett, joined by Justices Stephen Breyer, Sonia Sotomayor, Elena Kagan, Neil Gorsuch, and Brett Kavanaugh. Dissent by Justice Clarence Thomas, joined by Chief Justice John Roberts and Justice Samuel Alito. Full opinion: https://www.supremecourt.gov/opinions/20pdf/19-783_k53l.pdf. CRS analysis: Congressional Research Service Legal Sidebar LSB10616 (June 2021). The factual record (Van Buren’s Georgia police-sergeant role, the FBI sting via Andrew Albo, the GCIC license-plate lookup for $5,000) is drawn from the case’s certiorari briefing and the Eleventh Circuit opinion below (United States v. Van Buren, 940 F.3d 1192 (11th Cir. 2019)). ↩
hiQ Labs, Inc. v. LinkedIn Corp., 938 F.3d 985 (9th Cir. 2019); on remand from Supreme Court’s GVR (grant-vacate-remand) order following Van Buren, the Ninth Circuit reaffirmed in hiQ Labs, Inc. v. LinkedIn Corp., 31 F.4th 1180 (9th Cir. 2022). The decision held that scraping publicly-accessible LinkedIn profiles does not violate the CFAA’s “without authorization” prong. ↩
Post-Van Buren CFAA case law has generally tracked the gates-up-or-down framing. Sandvig v. Garland, 2022 U.S. App. LEXIS 12116 (D.C. Cir. May 4, 2022) confirmed the narrowing in a researcher-protection context; United States v. Yermyan, 2024 U.S. Dist. LEXIS (E.D.N.Y. 2024) applied the framework in an employee-misuse context. The post-Van Buren landscape remains undermapped at the state-law level. ↩
18 U.S.C. § 1030(c) provides the penalty structure. The summary in §2.4 reflects the statute as it stands in 2026; the U.S. Sentencing Guidelines (USSG § 2B1.1 for fraud-and-deceit cases; USSG § 2X1.1 for attempts and conspiracies; the various enhancement provisions) operate independently and produce the advisory ranges that federal sentencing actually applies. ↩
United States v. Morris, 928 F.2d 504 (2d Cir. 1991). The foundational CFAA mens rea opinion; treated in detail in Vol 3 §5.4. ↩
United States v. Swartz, No. 1:11-cr-10260 (D. Mass.). The September 2012 superseding indictment is publicly available via PACER. Subsequent analysis: Larry Lessig, “Aaron’s Laws — Law and Justice in a Digital Age” (Harvard, 2013); the MIT Abelson report (Abelson, Adida, Lin, Long, “MIT and the Prosecution of Aaron Swartz,” July 26, 2013); the EFF case archive on Swartz. ↩
“Aaron’s Law Act of 2013” (H.R. 2454, 113th Congress), introduced by Rep. Zoe Lofgren (D-CA) and Sen. Ron Wyden (D-OR) following Swartz’s death; subsequent re-introductions in 2014, 2015, 2019, 2020, 2023. The 2023 reintroduction (118th Congress) is the most recent. None has passed. ↩
Computer Misuse Act 1990 (UK), as amended by Police and Justice Act 2006 and Serious Crime Act 2015. Full text: https://www.legislation.gov.uk/ukpga/1990/18/contents. ↩
UK CMA 1990 sections summary as of 2026: §§ 1, 2, 3, 3ZA, 3A. Crown Prosecution Service guidance on the CMA: https://www.cps.gov.uk/legal-guidance/computer-misuse-act. ↩
CyberUp Campaign (UK), advocating for statutory reform of the Computer Misuse Act 1990 to add a public-interest defence. December 2025 government signal: Security Minister Dan Jarvis MP (HM Government Home Office) announcement that the government is “looking at” a legal change to the CMA to create a statutory defence for vulnerability researchers — the strongest pro-reform signal in the campaign’s history. House of Lords Committee stage of the Crime and Policing Bill (late 2025–early 2026): peers tabled amendments to introduce a statutory defence into the CMA. February 3, 2026 Public Bill Committee hearing on the Cyber Security and Resilience (Network and Information Systems) Bill: calls for CMA reform also surfaced in this concurrent legislative track. As of mid-May 2026 no amendment has yet been enacted; the parliamentary process is mid-stage. Campaign site: https://www.cyberupcampaign.com/. ↩
Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against information systems and replacing Council Framework Decision 2005/222/JHA. EUR-Lex: https://eur-lex.europa.eu/eli/dir/2013/40/oj/eng. ↩
Criminal Code of Canada, s. 342.1 (unauthorized use of computer), s. 430(1.1) (mischief in relation to computer data). Statute text via Justice Laws Website: https://laws-lois.justice.gc.ca/eng/acts/c-46/section-342.1.html. ↩
Cybercrime Act 2001 (Cth), amending the Criminal Code Act 1995 (Cth) to add Part 10.7 (Computer Offences). Full text: https://www.legislation.gov.au/Details/C2004A00937. ↩
Strafgesetzbuch (StGB) §§ 202a, 202b, 202c, as amended by the Strafrechtsänderungsgesetz zur Bekämpfung der Computerkriminalität of August 7, 2007. Statute text via German Federal Ministry of Justice: https://www.gesetze-im-internet.de/stgb/__202c.html. ↩
Bundesverfassungsgericht (BVerfG) decision of May 18, 2009, 2 BvR 2233/07 (and related cases), declining to strike § 202c StGB while constraining its application to require specific intent that the article be used in committing an offence. Decision text: https://www.bverfg.de/e/rs20090518_2bvr223307.html. ↩
Act on Prohibition of Unauthorized Computer Access (不正アクセス行為の禁止等に関する法律), Act No. 128 of 1999, enacted August 13, 1999, effective February 13, 2000. English translation via Japanese Law Translation: https://www.japaneselawtranslation.go.jp/en/laws/view/3933. ↩
HackerOne, “Standardized Safe Harbor Language,” 2026 version. https://www.hackerone.com/disclosure-guidelines. The template language has been incrementally updated since the 2015 original version; the 2022 update incorporated post-Van Buren framing. ↩
U.S. Department of Justice, Office of the Deputy Attorney General, “Department of Justice Announces New Policy for Charging Cases Under the Computer Fraud and Abuse Act,” May 19, 2022. https://www.justice.gov/opa/pr/department-justice-announces-new-policy-charging-cases-under-computer-fraud-and-abuse-act. The policy update is incorporated into the Justice Manual at JM 9-48.000. The “good-faith security research” definition is in the policy memo text. ↩
United States v. Auernheimer, 748 F.3d 525 (3d Cir. 2014). The Third Circuit vacated the conviction on venue grounds (not jurisdiction; the distinction matters — venue refers to the district where the trial may properly be held; jurisdiction refers to whether a court has authority over the subject matter and parties at all). The vacatur did not address the underlying CFAA theory; the case is treated in Vol 8 §7.4 as the canonical grey-hat-prosecution warning. ↩
Cybersecurity and Infrastructure Security Agency (CISA), Coordinated Vulnerability Disclosure (CVD) service. https://www.cisa.gov/coordinated-vulnerability-disclosure-process. CISA serves as the canonical U.S.-government coordinator for critical-infrastructure vulnerabilities; the service operates in parallel with CERT/CC for non-government-system coordination. ↩
EFF Coders’ Rights Project 2026 documentation: https://www.eff.org/issues/coders. The project’s case archive (the EFF maintains a public archive of researcher-defense cases) and the Coders’ Rights Handbook are the canonical references. ↩
Electronic Communications Privacy Act of 1986 (ECPA), 18 U.S.C. § 2510 et seq. The 1986 amendments to the federal Wiretap Act of 1968 extended the framework to electronic communications and brought cellular communications under the interception prohibition. Statute text via Cornell LII: https://www.law.cornell.edu/uscode/text/18/2510. ↩
FCC rules — 47 CFR Parts 15 (radio frequency devices), 80 (maritime services), 87 (aviation services), 90 (private land mobile radio services), 95 (personal radio services), 97 (amateur radio service). Accessible via the eCFR: https://www.ecfr.gov/current/title-47. ↩
FCC Enforcement Bureau, In the Matter of Marriott International, Inc. and Marriott Hotel Services, Inc., File No. EB-IHD-13-00011303 (October 3, 2014). Marriott consented to a $600,000 forfeiture. The enforcement advisory cited 47 U.S.C. § 333 and FCC Rule 15.5. Subsequent enforcement actions against Smart City Holdings (2015) and others followed the same framework. ↩
(ISC)², “Code of Ethics.” https://www.isc2.org/Ethics. The four-canon code is binding on all (ISC)² certification holders; the Ethics Committee adjudicates complaints. ↩
EC-Council, “Code of Ethics.” https://www.eccouncil.org/code-of-ethics/. Binding on all EC-Council certification holders. ↩
ISACA, “Code of Professional Ethics.” https://www.isaca.org/credentialing/code-of-professional-ethics. Binding on all ISACA certification holders. ↩
SANS GIAC, “Code of Ethics.” https://www.giac.org/about/ethics/. Affirmed at certification and at renewal. ↩
OffSec, ethics commitments built into certification renewal. https://www.offsec.com/legal-docs/. ↩
David Dittrich and Erin Kenneally, eds., “The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research,” U.S. Department of Homeland Security Science and Technology Directorate, August 2012. https://www.dhs.gov/sites/default/files/publications/CSD-MenloPrinciplesCORE-20120803_1.pdf. The Menlo Report adapts the Belmont Report principles to ICT research; widely adopted as the academic-security-research ethics framework. ↩
United States v. Sullivan, No. 3:20-cr-00337 (N.D. Cal.). Conviction October 5, 2022 on charges of obstructing a Federal Trade Commission investigation (18 U.S.C. § 1505) and misprision of a felony (18 U.S.C. § 4) related to the 2016 Uber data-breach cover-up (the breach affected 57 million Uber customers and 600,000 drivers). Sullivan was sentenced on May 4, 2023 to three years’ probation, 200 hours of community service, and a $50,000 fine (federal prosecutors had sought 15 months’ imprisonment but were denied). The Ninth Circuit affirmed the conviction in March 2025 (United States v. Sullivan, No. 23-927 (9th Cir.)), making the conviction final. The case is the canonical “post-breach handling can be more consequential than the breach itself” precedent — the first conviction of a corporate security officer for breach-related conduct, now with appellate-court affirmation. ↩

Hacker Tradecraft Volume 19 — The Legal Line and Ethics

Contents