Robert Lemos, SecurityFocus 2006-04-26

Last Thursday, the U.S. Attorney's Office in the Central District of California leveled a single charge of computer intrusion against San Diego-based information-technology professional Eric McCarty, alleging that he used a Web exploit to illegally access an online application system for prospective students of the University of Southern California last June.

...

The prosecution of the IT professional that found the flaw shows that security researchers have to be increasingly careful of the legal minefield they are entering when reporting vulnerabilities...

So, someone finds a vulnerability in the USC website, and, as far as I can tell, does the right thing by reporting it through a third party (SecurityFocus), and gets a criminal charge from the FBI for thanks.

Without getting into the legalities of the case (which would get us into trouble here), what would you do in the USC's place?

I mean, if someone duly reports a flaw he's discovered in your site, would you call down Johnny Law on the guy?