Legal, Ethics & Rules of Engagement

Module S00 · Course 2A — Building AI Harnesses for Cybersecurity

60 minutes · 3 sub-sections: Authorization & Scope Law · Disclosure & Evidence · Harness-Specific Risks

Non-optional. You are building attack tools. The law defines what that means.

Pillar 0 — Security Harness Foundations

Why this module is non-optional

Course 1 assumed a cooperative target. Every assumption breaks when the target is an adversary and your harness is the weapon.

But before the technical inversion — there is a more fundamental one.

A general harness that calls the wrong file wastes a token.

A security harness that hits the wrong host commits a crime.

The difference between a bug bounty payout and a federal indictment is not the tool. It is the authorization.

The inversion table

Course 1 assumptionCourse 2A reality
Target environment is cooperativeTarget is adversarial by design
Tool outputs are trustedTool outputs may contain injected payloads
Loop runs until task completeLoop runs until evidence threshold met or scope exhausted
Verification = did it work?Verification = can I prove it to a client, program, or court?
Sandbox contains the agentAgent reaches out through the sandbox to attack a target

This module is about the last row's legal dimension — everything else flows through S01 onward.

Three sub-sections, 20 minutes each

S00.1 — Authorization & Scope Law. The statutes, the cases, the authorization chain, the bug bounty contract.

S00.2 — Responsible Disclosure & Evidence Obligations. What you owe the vendor, what evidence you must keep, what you must destroy.

S00.3 — Harness-Specific Legal Risks. Where autonomy creates exposure a human tester never had — and the control for each.

S00.1 — Authorization & Scope Law

The three jurisdictional frameworks a cross-border harness implicates.

US — CFAA
18 U.S.C. § 1030. Access "without authorization" or "exceeding authorized access." Criminal + civil.
UK — CMA 1990
ss. 1, 3. Broader than post-Van Buren CFAA. No statutory researcher safe harbor.
EU — layered
Dir. 2013/40/EU (member-state crimes) + GDPR (the dominant risk) + NIS2. Not a single statute.
CRA — adjacent
Cyber Resilience Act = product-security obligations on manufacturers. NOT a pentest-authorization statute.

Van Buren v. United States (2021)

593 U.S. 374. The Supreme Court adopted the "gates-down" interpretation of "exceeds authorized access."

"Exceeds authorized access" means accessing a file, folder, or database you are not authorized to access at all — not accessing an authorized area for an improper purpose.

What it did: narrowed the CFAA; helped researchers accused of misusing authorized access.

What it did not: create a general good-faith defense, or touch the threshold question of authorization itself. Out-of-scope access remains unprotected.

For a harness: authorization is binary at the gate. The scope file permits the target, or the call is a potential § 1030(a)(2) violation. The decision moved the fence; it did not remove it.

The authorization chain

Authorization is not a document. It is a chain — a sequence of permissions, each linking to the next.

Asset Owner — owns the system under test
Program / Engagement Sponsor
Program Policy / SOW — scope · RoE · safe harbor
Scope File (JSON) — machine-checkable
Scope Enforcement Middleware
Individual Tool Call

A break anywhere voids downstream cover. Three breaks: sponsor≠owner · action outside RoE · stale scope.

Three breaks in the chain

Break 1
Sponsor ≠ Owner. The program operator doesn't hold the asset owner's authorization.
Break 2
Action outside RoE. In-scope host, forbidden action (DoS, exfil). Still legally out of scope.
Break 3
Stale scope. Target removed Wednesday; your file says Monday. "Was current" is not a defense.

The scope file must carry valid_until and be re-verified each session.

The bug bounty program is a contract

Program policy = reciprocal obligations. Authorization + safe harbor in exchange for RoE compliance. Breach the RoE → potentially breach the contract → lose the safe harbor.

ClauseWhat it actually means
ScopeExhaustive in-scope list (HackerOne / Bugcrowd / Disclose.io standard). Not "*.example.com."
ExclusionsOverride apparent in-scope matches. Check after matching, not before.
Rules of EngagementBehavioral: minimum testing, no DoS, no exfil, no social-eng. Distinct from the target list.
Safe HarborConditional. Covers in-scope + RoE-compliant only. Does not bind third parties.
DisclosureCVD baseline. Bounty eligibility often tied to CVD adherence.

S00.2 — Disclosure & Evidence

Coordinated Vulnerability Disclosure (CVD) is the baseline norm.

  • Report privately
  • Give the vendor a fix window
  • Coordinate public release

CERT/CC default ~45 days. Google Project Zero ~90 days. Program policy overrides the default.

Early public disclosure — even on a slow vendor — can void safe harbor and raise trade-secret / misuse claims. The window is the contract.

What evidence you must preserve

A finding without evidence is an opinion. A finding with a reproducible chain is a deliverable — and a legal record.

FieldWhy
Timestamp (UTC)Establishes when — for authorization-window disputes
Session / trace IDCorrelates finding to the scope file in force
Exact request + responseReproducibility — vendor must replay it
Tool + versionTool-specific false positives are real
CVSS (draft)Severity triage — automate as draft only
Reproduction stepsVendor QA must reproduce without you
Scope referenceThe legal anchor — ties finding to authorization

What evidence you must NOT retain

The fact that you can capture a database dump does not mean you may keep it. This is where GDPR exposure lives.
Personal data
PII capture = you become a data controller (GDPR) or touch breach-notification law. Minimum proof only.
Credentials / secrets
Report the exposure. Redact in the report. Securely delete the captured key.

For a SQLi: "I can read the users table" is the finding. SELECT COUNT(*) FROM users is the proof. SELECT * FROM users is a breach you just committed.

The evidence retention lifecycle

Public
No sensitive data. Retain indefinitely (portfolio).
Redacted
Redacted at capture. Retain for engagement + tail.
Restricted
Real PII / credentials. Destroy on report or per contract.

An evidence logger that writes forever and never destroys is building a compliance time bomb, not an evidence chain.

S00.3 — Harness-Specific Legal Risks

Four risks unique to autonomous security harnesses. Each maps to a control that must exist before you point the harness at anything other than an isolated lab.

RiskStatuteControl
1. DoS-by-scannerCFAA § 1030(a)(5); CMA s.3Rate-limit + distress-detection middleware
2. Out-of-scope calls§ 1030(a)(2); CMA s.1Scope enforcement in code (not the prompt)
3. Evidence retentionGDPR; breach lawsPer-class retention + documented destruction
4. Agentic escalationAll of the aboveBounded autonomy + scope enforcement + kill switch

Risk 1 — When scanning becomes DoS

There is no bright-line request rate that separates scanning from DoS. The threshold is effect-based: if your scanning materially impairs availability, you're in DoS territory — intent satisfied by recklessness.

Operational heuristics that reduce risk sharply:

  • Default to low concurrency — ffuf -t 10, not -t 500
  • Rate-limit below visible tolerance — never trip the target's own defenses
  • Back off on distress — 5xx spikes, resets, latency, rate-limits. This is a stop condition.
  • Respect explicit RoE rate caps — the number lives in the scope file

The rate-limit middleware is a § 1030(a)(5) mitigation, not a performance optimization.

Risk 2 — Scope enforcement is a legal control

Scope as a system-prompt line
"Only scan *.target.com." Model scans out-of-scope anyway. You are liable. No court accepts "the LLM got confused."
Scope as hard-wired middleware
Intercepts every outbound call. Checks against structured scope file. Harness cannot act outside scope regardless of model.
Scope enforcement and code-execution sandboxing are two different control planes. Scope = where the agent can reach. Sandbox = what it can do locally. Both required.

Risk 4 — "The model did it" is not a defense

When an autonomous harness commits a § 1030(a)(2) violation, there is no manufacturer-vs-operator contest. The operator — you — deployed the tool. The harness acted as your instrument. Liability does not transfer to the model.

Controls that flow from accepting this:

Autonomy ≤ Level 3 in production
Propose → approve → execute. The approval gate is a legal control.
Scope enforcement in code
Legal posture must survive the model ignoring the instruction.
Audit log: scope_ref per call
Reconstructs authorization for every action.
Kill switch + bounded blast radius
Stoppable instantly; single run can't escape one engagement.

The anti-patterns (each carries a penalty)

Anti-patternThe cure
Scope in the system promptScope enforcement middleware (S01.2)
Full database dump as proofMinimum-proof discipline; classify Restricted; destroy
Unbounded evidence storePer-class retention + automated destruction
High-concurrency scan vs productionRate-limit + distress middleware from the RoE
"The model did it"Bounded autonomy + scope in code + approval gates

What you take into S01

The scope file is the input. The JSON you produce in the S00 lab — authorized targets, rules of engagement, exclusions, valid_until — is exactly what S01's scope enforcement middleware loads and checks on every outbound call.

The legal layer becomes the engineering layer. Authorization is binary at the gate. Scope is a hard-wired control. Evidence is an append-only, scope-referenced log. Retention is enforced, not documented.

Next: S01 — Security Harness Architecture. The offensive state machine. Scope enforcement built. Adversarial tool outputs defended.