Question 1
In Van Buren v. United States (2021), a police officer ran a license plate search using his legitimately issued credentials, but for personal gain rather than official law enforcement purposes. The Supreme Court held this was NOT a CFAA violation. Which statement best describes the legal test the Court established? A Any use of legitimately obtained credentials is authorized access, regardless of purpose, as long as no technical barriers are circumvented. B A user "exceeds authorized access" only when they cross a technical gate to data they have no permission to access — the "gates up or down" test — not when they misuse legitimately accessible data for a prohibited purpose. C The Court held that law enforcement credentials carry blanket authorization for any database accessible to the officer's role. D The Court held that purpose-based CFAA violations are now prosecuted exclusively under state computer fraud statutes.
Question 2
A bug bounty program's scope page reads: "*.megacorp.com is in scope." A researcher discovers an IDOR in app.megacorp.com that chains through an in-scope API gateway into the backend payment processing system, which is explicitly excluded from scope. The researcher follows the chain and documents the payment system's internal API structure. What is the most accurate legal assessment? A The researcher is fully protected — the vulnerability chain began at an in-scope host, making all reachable systems in scope by implication. B The researcher's protection ends at the scope boundary; accessing the out-of-scope payment system constitutes unauthorized access under CFAA § 1030(a)(2) regardless of how the researcher arrived there. C CFAA does not apply because the researcher did not authenticate directly to the payment system — they arrived via a legitimate API chain. D The program's safe harbor extends automatically to all third-party systems reachable from in-scope hosts.
Question 3
In United States v. Auernheimer (3d Cir. 2014), the conviction was vacated. Security researchers frequently cite this case as establishing that accessing publicly exposed data does not violate the CFAA. What does the case actually hold? A The Third Circuit held that accessing an unauthenticated API endpoint does not constitute CFAA unauthorized access because no technical gate was present. B The conviction was vacated solely on venue grounds — the court never reached the merits of whether the CFAA theory was valid, meaning the underlying government theory survived appellate review. C The court held that the systematic enumeration of sequential identifiers is protected research activity under the First Amendment. D The court held that AT&T's failure to authenticate the endpoint constituted implied consent to access it.
Question 4
A HackerOne program includes standard safe harbor language stating the company "will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy." A researcher operating within scope finds a critical vulnerability. The DOJ independently learns of the testing activity. Which statement about the safe harbor's effect on criminal prosecution is most accurate? A The safe harbor clause constitutes "authorized conduct" that fully defeats any CFAA criminal charge, because the company has declared the conduct authorized. B No U.S. federal court has held that a private bug bounty safe harbor clause constitutes a legal defense to CFAA criminal charges; the DOJ can charge despite the safe harbor. C The safe harbor blocks prosecution because the program policy language is incorporated by reference into CFAA's definition of "authorization." D The safe harbor blocks prosecution only if the company submits a formal declination letter to the relevant U.S. Attorney's office before charges are filed.
Question 5
The DOJ 2022 CFAA Charging Policy identifies several behaviors that undermine a good-faith research claim. Which of the following behaviors does the policy explicitly flag as inconsistent with good-faith research? A Using automated scanners at moderate rates against in-scope targets during off-peak hours. B Accessing data beyond what is minimally necessary to demonstrate the vulnerability and retaining data accessed during testing. C Reporting a vulnerability within 90 days without waiting for vendor acknowledgment. D Testing a system you own from your home network without external authorization documentation.
Question 7
Under the 2024 DMCA security research exemption (37 C.F.R. § 201.40(b)(12)), which of the following activities would NOT qualify for protection? A Bypassing authentication on a device you own to identify a firmware vulnerability affecting that device model. B Circumventing a TPM on a device you received for testing under a written authorization agreement with the manufacturer. C Defeating DRM on a device you do not own, tested remotely via a cloud instance, for the purpose of documenting a security weakness. D Reverse engineering a device's authentication protocol to report a vulnerability under coordinated disclosure.
Question 8
A researcher discovers an SQL injection vulnerability on an in-scope target. To "prove scale," the researcher extracts 50,000 user records including names, emails, and hashed passwords, then transmits the dataset to a colleague for verification. Under the Stored Communications Act (18 U.S.C. § 2701 ) and GDPR Art. 5(1)(b), what exposures are created? A No new exposure — the bug bounty safe harbor covers all actions taken in furtherance of demonstrating the vulnerability. B Potential SCA violation for accessing and transmitting stored electronic communications; potential GDPR violation for processing EU personal data without a lawful basis (security testing is not a GDPR-recognized lawful purpose without explicit authorization and minimal processing). C Only a GDPR violation, because the SCA does not apply to data accessed via web application SQL injection. D Only a civil exposure — criminal SCA charges require proof that the researcher intended to sell the data.
Question 9
Google Project Zero's coordinated vulnerability disclosure timeline allows 90 days from vendor notification, with an extension to 104 days if the vendor commits to a patch by day 90. A researcher discloses publicly on day 75 after finding the vendor's initial response inadequate. Which legal consequence is most likely? A No legal consequence — disclosure timelines are industry norms, not legal standards, and the researcher can publish at any time. B The premature disclosure may defeat the researcher's good-faith defense under the DOJ 2022 policy and could support a civil CFAA damage claim or tortious interference theory if the early disclosure is used against the vendor. C The researcher faces automatic CFAA criminal liability because disclosure before vendor patch constitutes intentional damage under § 1030(a)(5)(A). D The disclosure is fully protected under the First Amendment as a matter of public interest speech.
Question 10
A researcher uses Tor to anonymize their testing sessions against an in-scope bug bounty target. The program's safe harbor language makes no mention of anonymization tools. Which statement best describes the legal risk this creates? A Using Tor is legally neutral — it is a lawful tool and its use has no effect on good-faith analysis. B Courts have treated anonymization as evidence of guilty knowledge; using Tor during authorized research destroys the good-faith defense and would be cited by prosecutors as consciousness of guilt regardless of the program's safe harbor. C Tor use is only legally significant if the researcher is outside the United States, where local laws prohibit VPN use. D The safe harbor clause implicitly covers any means of access to in-scope targets, including Tor, because no technical method is excluded.