This is great, but since the authors are here, some constructive feedback: if you were to ask me what the most important and misunderstood issue in security research is, I'd say it's the distinction between web application testing (the subject of most bug bounties) and mobile/platform/executable software security research (ie: finding browser zero-days) .

I skimmed the guide and I know the distinction is covered in multiple points throughout, but it would be helpful in future versions of this document to find a way to center it. There are a lot of people who believe that finding browser vulnerabilities is legally risky, and a lot of people who believe there are good-faith security exemptions to testing for XSS vulnerabilities in web sites.

Thank you, this is helpful feedback and I agree, we could do a better job of framing this distinction as a useful overall heuristic!

FYI, Thomas (aka tptacek) would be an excellent resource in your area, in case you don't already know that. (He consistently tops the leader board of HN karma points.)

https://news.ycombinator.com/leaders

I think they're pretty well sourced already! :)

This is US centric. In the UK we have a law preventing pretty much any form of white-hack hacking.

The broadcast industry is awful. If you use censys to search for

"<html><head><title>WMT</title>"

You will find hundreds of video servers, from Saudi Arabia to Poland, from Brazil to India, open to the world on the internet.

Half of these have the default password which is available fairly easily online, and hasn't changed for years (I won't write it down here, but it's insanely easy to crack. Try it once per minute on those servers and you'll get it in a month. Nobody monitors the logs.)

The company that makes these devices (mobile viewpoint) doesn't care - they don't make you change the password on first use, they tell you to open port 80 and 443 up to the world (or port 7071 and 7072 - because their application doesn't work if you do block port 80 and 443, so they run the same server on those higher ports too)

If you know what you're doing you can pull the rtmp preview stream and see whats going on, once you log in, you can shutdown these servers. If you really know what you're doing it wouldn't surprise me if you could replace the video with your own stream, as the OS they run is years out of date.

It's not just mobile viewpoint servers though, I've just logged into an NTT encoder in Japan with a username of "admin" and the default blank password. Again, the manufacturer could have insisted on setting a password on first login (which you need to do to configure it), but they don't. No idea what it's streaming, other than it's going into a decoder elsewhere in Japan (which is also admin/blank). While a WMT is easy to DOS and theortically possible to replace the stream, these are trivial to replace the stream.

Can't really do much about it, including writing an article lamenting the state of the industry for various industry locations, because it's illegal in the UK to even try to log in to these machines with the default credentials.

> because it's illegal in the UK to even try to log in to these machines with the default credentials.

It's illegal in the US as well, just because you know a credential doesn't mean it's legal for you to use it.

It's not so much US-centric as US-exclusive, as most legal guides on HN are going to be.

(Trivia:) Looks like they might have used LaTex (vice Microsoft Word) to create the PDF.

EDIT: This is mildly noteworthy because the authors are at Harvard Law, and lawyers and law students typically use Word, not LaTex. The senior author, Harvard Law student Sunoo Park, is also an MIT computer science Ph.D and computer security researcher.

Author (Kendra Albert) here! We did indeed use LaTeX (more specifically Overleaf) to format the document.

Maybe I'm being extraordinarily dense, but why is that noteworthy here?

Most lawyers can barely manage Microsoft Word print to PDF.

> Maybe I'm being extraordinarily dense, but why is that noteworthy here?

GGP here: I said it was trivia; please see the edit above.

The scent of authentic technical chops?

Just to let you know, the citation at the end of 26 falls over and causes the entirety of page 27 to be a link to it.

(It took me a while to understand what was being said here: in case it helps anyone else, there is a line break inside of a hyperlink inside of a footnote that is spreading the hyperlink across an entire page of PDF content somehow, so very little is visually wrong--it isn't that page 27 is showing nothing but a link, which is how I initially interpreted this issue report--but the behavior is very wrong: all of the text on page 27 acts as the link.)

Thank you! We'll fix that.

Is there a chance you'd be willing to release the template eventually?

Solid document; thanks for sharing.

I'm curious which state's laws apply? That is, how is jurisdiction determined for a computer network event that might start from a laptop in one state, be routed via the Internet through another state—possibly even out of country—and hit an organization's server in a third state?

That's a great question where there's not an easy answer, to be honest. Choice of law (the question of which state's law apply) is a complex field with each state having its own rules as to how it decides. It's also a separate question from where you can sue for a particular thing. So it's difficult analyze either question in the abstract.

I would assume that the jurisdiction would be determined for some intentional harmful act (as opposed to a computer network event - the crime, if any, is that a person did something not that a technical thing happened), and the more relevant states would be the ones where the actor was located and the legal residence of the organization who suffered damages; the location of any involved hardware may have an impact (especially in the discovery process) but they're secondary to that.