To answer the first question, a number of veteran independent researchers probably wouldn’t have touched such a system. Plenty of companies will send their lawyers after you if you tell them that you’ve discovered a vulnerability of some sort and wish to responsibly disclose. Even if you do things in good faith, the company has zero reason to assume the best from you and can hold a sword over your head by citing poorly-written laws that lean in their favor regarding computer fraud and abuse.
replyDoD does appear to offer a “Defense Industrial Base - Vulnerability Disclosure Program” for all public-facing DoD/DoW systems.[1] However, this might not include contractor-controlled assets or services. I cannot view the HackerOne page that it redirects to (login is required) to view more details.
[1]: https://www.dc3.mil/Missions/Vulnerability-Disclosure/DIB-Vu...
The line between security research and espionage seems really thin.
reply> How do independent researchers do this with legal safety?
replyIn my experience it’s usually foreign nationals from third-world countries doing drive-by beg-bounty testing. Presumably they don’t much consider legality.
> Presumably they don’t much consider legality.
replyOr the operation is not even illegal where they come from?