CERIAS has a blog post on Vulnerability Reporting For The Brave, which based on the title alone already had me ready to pick it apart line by line.

Not today! It turns out that it is targetted towards students who find vulnerabilities in production websites. Unfortunately for researchers, the process of finding vulnerabilities on someone else’s website deployment is similar enough to the process of breaking into it. It is definitely not worth it, and has lead to several people getting in trouble with the law.

In the author’s story, he basically talks about how one of his students found a vulnerability in an application that was broken into by someone else (allegedly ;)). The detectives decided that this student became a suspect. This is definitely a less spoken risk about doing free penetration testing. You will show up in the logs and look no different from some bozo who decides to boldly attack a website. And you will look like a suspect if this happens.

In a way, it’s a shame. One of the factors I use when determining the security quality of an application is by the vulnerabilities reported in it. That doesn’t work so well for Google or Yahoo.

On the other hand, playing with other people’s live data is just a bad idea.