Pen Testing Legal Hub

Know the Line Before You Cross It

Authorization agreements, safe harbor law, Van Buren analysis, Flipper Zero liability, VDP scope limits, and state law overlays — everything a pen tester needs to stay on the right side of CFAA.

Practitioner Templates

TEMPLATE · 27 SECTIONS · READY TO USE

Penetration Testing & Red Team Authorization Agreement v3.0

Full legal agreement covering parties, scope, IP ranges, timing, rules of engagement, data handling, insurance, indemnification, confidentiality, and governing law. Customize sections 1, 3, 5, and 10 per engagement.

Open template Direct link

Essential Modules

Safe Harbor, VDPs, and Bug Bounty Legal Limits
01u · intermediate

Safe Harbor, VDPs, and Bug Bounty Legal Limits

Bug bounty programs and vulnerability disclosure policies tell you which systems to test, but they do not immunize you from criminal prosecution — that power be…

Read module
Flipper Zero Legal Liability: Exact Statute + Case Analysis for Security Researchers
01t · intermediate

Flipper Zero Legal Liability: Exact Statute + Case Analysis for Security Researchers

The Flipper Zero is a legitimate multi-protocol security research tool that can also be a federal crime instrument in under thirty seconds depending on the targ…

Read module
CFAA and the Federal Criminal Toolkit
01a · intermediate

CFAA and the Federal Criminal Toolkit

This post explains the main federal anti-hacking law in plain English. The key modern question is whether someone broke into a part of a computer system they we…

Read module
Bug Bounty Legal Protections: What Security Researchers and Companies Actually Have
01j · intermediate

Bug Bounty Legal Protections: What Security Researchers and Companies Actually Have

Bug bounty work is not automatically legal just because it improves security. The safest protection comes from written permission through a bug bounty or disclo…

Read module

Activity Risk Matrix

ActivityRisk LevelControlling StatuteMitigation
Port scanning target in scopeLow — standard reconCFAA § 1030(a)(2)Document scope letter before starting
Fuzzing authenticated endpointsLow — if scoped and authorizedCFAA § 1030(a)(2)Stay within authenticated session only
Auth bypass / privilege escalationMedium — collect min proof onlyCFAA § 1030(a)(2)Screenshot + stop; don't exfiltrate real data
Extracting real PII as PoCHigh — even with authorizationCFAA + GDPR Article 33Use synthetic data; never copy real PII
Testing third-party systems via targetHigh — almost never in scopeCFAA § 1030(a)(2)/(a)(5)Get explicit written authorization for each system
Public disclosure before patchHigh — DMCA + CFAA exposure17 U.S.C. § 1201Honor 90-day window; follow CVD process
Flipper Zero on target RF systemsMedium–HighCFAA + FCC § 333FCC jamming is strict liability — no defense
BadUSB / HID injection in scopeLow if authorizedCFAA § 1030(a)(5)Scope letter must explicitly name physical attacks