"What US statute is the primary federal computer-intrusion law, and which two subsections matter for security testing?" "18 U.S.C. § 1030 (CFAA). § 1030(a)(2) = accessing 'without authorization' or 'exceeding authorized access.' § 1030(a)(5) = intentional/reckless damage. Both civil and criminal liability." c2a::s00::recall "What did Van Buren v. United States (593 U.S. 374, 2021) hold, in one sentence?" "'Exceeds authorized access' means accessing a file/folder/database you are NOT authorized to access at all — NOT accessing an authorized area for an improper purpose. The 'gates-down' interpretation." c2a::s00::recall "Did Van Buren create a general good-faith defense to CFAA? Did it touch the threshold question of authorization itself?" "NO to both. It narrowed the CFAA re: misuse of AUTHORIZED access. It did NOT create a good-faith defense, and out-of-scope access (never authorized) remains cleanly unprotected. 'Moved the fence, did not remove it.'" c2a::s00::analysis "For a harness, what does the gates-down model make authorization?" "Binary at the gate. Either the scope file permits the target, or the tool call is a potential § 1030(a)(2) violation. Build the gate (scope enforcement), not a motive detector." c2a::s00::application "How does the UK Computer Misuse Act 1990 differ from the post-Van Buren CFAA for researchers?" "Broader, and NO statutory researcher safe harbor. Good faith is NOT a defense to section 1 (unauthorised access). A harness reaching a UK target needs WRITTEN authorization from the asset owner." c2a::s00::recall "Is there a single 'EU CFAA'? Name the actual layers." "NO single statute. Layered: Directive 2013/40/EU (member-state crimes, e.g. DE §202a StGB, FR art. 323-1) + GDPR (the dominant risk — PII capture makes you a data controller) + NIS2 (incident reporting)." c2a::s00::recall "Is the EU Cyber Resilience Act a pentest-authorization statute?" "NO. The CRA (Reg. 2024/2847) imposes product-security obligations on MANUFACTURERS of products with digital elements. It is adjacent to this module, not central. Treating it as a pentest law is a category error." c2a::s00::analysis "What is the single most underestimated legal risk in EU security testing, and why?" "GDPR. A harness that retrieves personal data as 'proof' makes you a data controller (Art. 5 lawfulness, Art. 32 security). Penalty ceiling: €20M or 4% of global turnover. Most engineers never account for this." c2a::s00::analysis "What is the 'authorization chain,' and what is the rule about breaks in it?" "The unbroken sequence of permissions from asset owner → sponsor → policy/SOW → scope file → scope enforcement middleware → individual tool call. A break ANYWHERE voids legal cover for everything downstream. Cover is created only at the top (owner's consent)." c2a::s00::recall "Name the three breaks in the authorization chain." "(1) Sponsor ≠ Owner (operator doesn't hold owner authorization). (2) Action outside RoE (in-scope host, forbidden action — still legally out of scope). (3) Stale scope (target removed since the file was written; 'was current' is not a defense)." c2a::s00::recall "Why must the scope file carry a valid_until date?" "Bug bounty scopes change — targets get decommissioned, sold, or explicitly removed. A harness with a stale file scans no-longer-authorized hosts. valid_until + re-verification each session prevents stale-scope drift (Break 3)." c2a::s00::analysis "A bug bounty program policy is a ___, not a ___. What does that mean?" "A CONTRACT, not a guideline. Reciprocal obligations: authorization + safe harbor in exchange for RoE compliance. Breach the RoE → potentially breach the contract → LOSE the safe harbor that was your legal protection." c2a::s00::recall "What is the Disclose.io / HackerOne / Bugcrowd standard for scope?" "Scope must be an EXHAUSTIVE list of in-scope properties for which the org explicitly provides safe harbor — NOT 'anything *.example.com.' Exclusions override apparent in-scope matches and are checked AFTER matching." c2a::s00::recall "Scope (target list) vs Rules of Engagement — what's the difference, and why does a harness need to enforce BOTH?" "Scope = WHERE you may test. RoE = WHAT you may do (minimum testing, no DoS, no exfil, rate caps). A harness enforcing only the target list is enforcing half the contract. An RoE-violating action on an in-scope host is legally out of scope." c2a::s00::analysis "What is CVD, and what is the CERT/CC default coordination window?" "Coordinated Vulnerability Disclosure: report privately → give vendor a fix window → coordinate public release. CERT/CC default = ~45 days (a norm, not a law). Google Project Zero = ~90 days. Program policy overrides the default." c2a::s00::recall "What are the minimum evidence fields for a security finding? (Name 6+)" "Timestamp (UTC) · Session/trace ID · Exact request · Exact response · Tool + version · CVSS (draft) · Reproduction steps · SCOPE REFERENCE (the legal anchor tying the finding to the authorization)." c2a::s00::recall "Why is the 'scope reference' field the most important field in an evidence record?" "It is the legal anchor — it ties the finding to the specific scope entry that authorized the call that produced it. A complete, timestamped, scope-referenced evidence chain is the single best protection against a 'you accessed this without permission' accusation." c2a::s00::analysis "For a SQLi, distinguish the finding, the proof, and the breach." "'I can read the users table' = the finding. SELECT COUNT(*) FROM users = the proof. SELECT * FROM users = a breach you just committed (you became a data controller for that data). Capture MINIMUM proof." c2a::s00::application "Name the four evidence retention classes and their retention rules." "Public (no sensitive data) → retain indefinitely. Redacted → retain for engagement + contractual tail. Restricted (real PII/credentials) → destroy on report or per contract, whichever sooner. Document the destruction, not the data." c2a::s00::recall "What is the single biggest danger of an unbounded evidence store?" "You hold a trove of PII + credentials from multiple clients, each with their own regulatory constraints. You have built a breach surface and a compliance violation. An evidence logger that writes forever and never destroys is a compliance time bomb, not an evidence chain." c2a::s00::analysis "Is there a bright-line request rate that separates scanning from DoS? What is the actual threshold?" "NO bright line. The threshold is EFFECT-BASED: if your scanning materially impairs the target's availability, you're in DoS territory — intent satisfied by RECKLESSNESS under several readings of § 1030(a)(5) and CMA s.3." c2a::s00::analysis "What four operational heuristics reduce DoS risk when scanning?" "(1) Default low concurrency (ffuf -t 10, not 500). (2) Rate-limit below visible tolerance (never trip the target's own defenses). (3) Back off on distress (5xx, resets, latency, rate-limits = STOP condition). (4) Respect explicit RoE rate caps from the scope file." c2a::s00::application "Scope enforcement as a legal control vs scope as a system-prompt line — contrast the liability implications." "System-prompt line: model scans out-of-scope anyway → YOU are liable; 'the LLM got confused' is not a defense. Hard-wired middleware: harness CANNOT act outside scope regardless of model → exposure collapses to 'did the scope file authorize this?' (auditable, binary)." c2a::s00::analysis "Scope enforcement and code-execution sandboxing are ___. Explain." "TWO DIFFERENT CONTROL PLANES. Scope = WHERE the agent can reach. Sandbox = WHAT it can do locally. Both required. A harness with a great sandbox but no scope enforcement has contained the agent but let it attack the world." c2a::s00::analysis "If an autonomous harness exceeds authorization, who is liable? Is 'the model did it' a defense?" "The OPERATOR (you) is liable. The harness acted as your instrument; you deployed, configured scope, pointed it at a target. Liability does NOT transfer to the model. 'The model decided to' is not a defense now and unlikely to become one." c2a::s00::recall "Name the four controls that flow from accepting operator liability for agentic escalation." "(1) Autonomy ≤ Level 3 in production (propose→approve→execute). (2) Scope enforcement in code (survive model ignoring the instruction). (3) Audit log: scope_ref per call (reconstruct authorization). (4) Kill switch + bounded blast radius." c2a::s00::recall "What autonomy level is appropriate for real bug bounty/pentest engagements vs isolated lab targets?" "Real engagements: Level 2–3 (propose→approve→execute; the approval gate is a legal control). Level 4–5 (high autonomy) is ONLY for isolated labs, CTFs, benchmark runs — never real programs." c2a::s00::application "What CFAA subsection criminalizes intentional/reckless damage, and how does it apply to scanners?" "§ 1030(a)(5). Reaches reckless and even negligent damage in some readings. An autonomous scanner that takes down a production endpoint — even unintentionally — can cross from civil to criminal exposure. The rate-limit+distress middleware is an (a)(5) mitigation." c2a::s00::analysis "Why is CVSS scoring automated only as a DRAFT, never as a final score?" "Hallucination risk is real here. The model can produce a confident but wrong CVSS vector. Automate as a draft for human review; the final score is a human decision, especially for client-facing reports." c2a::s00::recall "What does the scope_ref stamp on a tool call record, and why does it exist?" "It records WHICH scope entry authorized THIS call at THIS time (e.g. 'target::action::ISO timestamp'). It produces the 'authorization chain to the atom' — the runtime proof that protects the operator if a call is ever questioned. The legal layer realized as a log field." c2a::s00::application