> there needs to be consent from the company being probed for vulnerabilities
So they never give consent and no vulnerabilities are ever discovered?
If I make and sell bread, there could be a surprise food safety inspection in the middle of the night on Christmas Eve, but don't we dare inconvenience some software firm that holds intimate data on millions of people.
When you get a surprise food safety inspection, you are notified right? They don't just break into your business without your knowledge and look around. You can refuse them entry, even if it comes with consequences later. They also aren't a random civilian, they have some sort of qualification to be conducting these inspections
That's what I'm getting at. People keep assuming I am saying protect the business at all cost and it's not the case. I want security research to stop getting sandbagged by discussions of legality.
We should make a legal path forward for security research to be more accessible and to promote behavioral differences between someone conducting research and someone trying to exploit or abuse a vulnerability.
So they never give consent and no vulnerabilities are ever discovered?
If I make and sell bread, there could be a surprise food safety inspection in the middle of the night on Christmas Eve, but don't we dare inconvenience some software firm that holds intimate data on millions of people.