{
  "module": "S00 — Legal, Ethics, and Rules of Engagement",
  "course": "2A — Building AI Harnesses for Cybersecurity",
  "version": "1.0.0",
  "duration_minutes": 45,
  "total_questions": 25,
  "bloom_distribution": {
    "target": "20% recall / 40% application / 40% analysis-design",
    "actual": { "recall": 5, "application": 10, "analysis": 10 }
  },
  "passing_score_percent": 70,
  "questions": [
    {
      "id": "Q01", "bloom": "recall", "type": "multiple_choice",
      "prompt": "Which US statute is the primary federal computer-intrusion law, and which subsection covers 'accessing without authorization or exceeding authorized access'?",
      "options": [
        "18 U.S.C. § 1030; subsection (a)(2)",
        "47 U.S.C. § 605; subsection (a)(1)",
        "18 U.S.C. § 1343; subsection (a)(5)",
        "15 U.S.C. § 6801 (GLBA); subsection (b)"
      ],
      "answer_index": 0,
      "rationale": "The CFAA is 18 U.S.C. § 1030. § 1030(a)(2) covers access 'without authorization' or 'exceeding authorized access.' § 1030(a)(5) covers damage."
    },
    {
      "id": "Q02", "bloom": "recall", "type": "multiple_choice",
      "prompt": "What did Van Buren v. United States (593 U.S. 374, 2021) hold?",
      "options": [
        "Good faith is a complete defense to all CFAA charges.",
        "'Exceeds authorized access' means accessing a file/folder/database you are NOT authorized to access at all — not accessing an authorized area for an improper purpose.",
        "Security researchers are categorically exempt from the CFAA.",
        "The CFAA applies only to government computers."
      ],
      "answer_index": 1,
      "rationale": "Van Buren adopted the 'gates-down' interpretation. It narrowed the CFAA re: misuse of AUTHORIZED access. It did NOT create a good-faith defense or touch authorization itself."
    },
    {
      "id": "Q03", "bloom": "recall", "type": "multiple_choice",
      "prompt": "How does the UK Computer Misuse Act 1990 treat good-faith security research?",
      "options": [
        "Good faith is a statutory defense to section 1.",
        "There is a formal safe harbor identical to HackerOne's.",
        "There is no statutory researcher safe harbor; good faith is not a defense to section 1 (unauthorised access).",
        "Research is legal if no data is exfiltrated."
      ],
      "answer_index": 2,
      "rationale": "The CMA is broader than the post-Van Buren CFAA and has no statutory researcher safe harbor. A harness reaching a UK target needs written authorization from the asset owner."
    },
    {
      "id": "Q04", "bloom": "recall", "type": "multiple_choice",
      "prompt": "Is the EU Cyber Resilience Act a pentest-authorization statute?",
      "options": [
        "Yes — it authorizes third-party security testing of EU products.",
        "Yes — it is the EU equivalent of the CFAA.",
        "No — it imposes product-security obligations on MANUFACTURERS of products with digital elements. It is adjacent to security testing, not a pentest-authorization law.",
        "No — it only applies to consumer IoT, not software testing."
      ],
      "answer_index": 2,
      "rationale": "The CRA (Reg. 2024/2847) governs manufacturer obligations (security-by-design, vulnerability/incident reporting). Treating it as a pentest-authorization statute is a category error."
    },
    {
      "id": "Q05", "bloom": "recall", "type": "multiple_choice",
      "prompt": "What is the CERT/CC default coordination window for coordinated vulnerability disclosure?",
      "options": ["7 days", "30 days", "45 days", "180 days"],
      "answer_index": 2,
      "rationale": "CERT/CC's default is ~45 days as a coordination norm (not a law). Google Project Zero uses ~90 days. Program policy overrides the generic default."
    },
    {
      "id": "Q06", "bloom": "application", "type": "multiple_choice",
      "prompt": "Your harness, operating under a valid bug bounty scope, follows a redirect to a third-party CDN that is NOT in the scope file. The scope enforcement middleware blocks it. What is the correct characterization?",
      "options": [
        "A false positive — the redirect was automatic and the middleware is too strict.",
        "The middleware working as intended — this is a legal control preventing a § 1030(a)(2) violation against a non-authorized party.",
        "A bug — the harness should follow redirects by default and trust the target.",
        "Acceptable — the CDN is shared infrastructure and therefore implicitly in scope."
      ],
      "answer_index": 1,
      "rationale": "The middleware is a legal control. The third party is not covered by the program's safe harbor (which binds only the program owner, not arbitrary third parties). Blocking prevents unauthorized access."
    },
    {
      "id": "Q07", "bloom": "application", "type": "multiple_choice",
      "prompt": "You find a SQL injection that can read a production `users` table containing real PII. The client needs proof. What do you capture as evidence?",
      "options": [
        "`SELECT * FROM users` — full proof maximizes the bounty.",
        "`SELECT COUNT(*) FROM users` or a single redacted row — minimum proof that demonstrates the vulnerability without making you a data controller for the PII.",
        "Nothing — just describe the finding in prose.",
        "A screenshot of the first 100 rows for visual impact."
      ],
      "answer_index": 1,
      "rationale": "Minimum-proof discipline. Capturing the full table makes you a data controller under GDPR / touches breach-notification law. The proof of the vulnerability is the ABILITY to read, not the data itself."
    },
    {
      "id": "Q08", "bloom": "application", "type": "multiple_choice",
      "prompt": "A bug bounty program lists `*.example.com` as in scope and `status.example.com` (a third-party status page) as out of scope. Your harness resolves `status.example.com` as matching the wildcard. What must the scope enforcement do?",
      "options": [
        "Allow it — wildcard matches take precedence.",
        "Check exclusions AFTER matching scope, and block status.example.com as explicitly excluded.",
        "Ask the model whether it thinks the page is third-party.",
        "Allow it but log a warning for human review later."
      ],
      "answer_index": 1,
      "rationale": "Exclusions override apparent in-scope matches. The Disclose.io/HackerOne/Bugcrowd standard requires scope to be checked as: match in-scope, THEN verify not in exclusions. An excluded asset is legally out of scope even if it matches a wildcard."
    },
    {
      "id": "Q09", "bloom": "application", "type": "multiple_choice",
      "prompt": "You discover an exposed AWS access key on an in-scope asset. What is the correct evidence handling?",
      "options": [
        "Store the key in your evidence vault permanently — you may need it to prove impact later.",
        "Report the exposure, redact the key in the report, and securely delete the captured key. Document the destruction.",
        "Use the key to enumerate the victim's S3 buckets for a stronger proof.",
        "Publish the key in a PoC to demonstrate severity."
      ],
      "answer_index": 1,
      "rationale": "Credentials/secrets: report the exposure, redact in the report, securely delete the captured key. Keeping a vault of found keys is a breach waiting to happen. Using the key to enumerate is itself an unauthorized action."
    },
    {
      "id": "Q10", "bloom": "application", "type": "multiple_choice",
      "prompt": "Your nuclei scan starts receiving 5xx responses from an in-scope production target. What should the harness do?",
      "options": [
        "Retry with higher concurrency to power through the errors.",
        "Continue at the same rate — the target is just slow.",
        "Back off (reduce rate); if distress persists, HALT. This is a stop condition and a § 1030(a)(5) mitigation.",
        "Switch to a different scanning tool that doesn't produce 5xx."
      ],
      "answer_index": 2,
      "rationale": "5xx spikes are a distress signal. The threshold between scanning and DoS is effect-based. The harness must react to distress by backing off, and halt if it persists. This is a stop condition, not a retry."
    },
    {
      "id": "Q11", "bloom": "application", "type": "multiple_choice",
      "prompt": "A client engagement requires Level 4 autonomy (minimal approval gates) for speed. The target is a real production program. What is the correct response?",
      "options": [
        "Proceed at Level 4 — speed is the priority.",
        "Run at Level 2–3 (propose→approve→execute). High autonomy is for isolated labs, CTFs, and benchmarks only. The approval gate is a legal control in production.",
        "Run at Level 4 but disable the scope enforcement to reduce overhead.",
        "Run at Level 5 — full autonomy with no human review."
      ],
      "answer_index": 1,
      "rationale": "Autonomy level must be matched to engagement. Production engagements against real programs sit at Level 2–3 because the approval gate is a legal control. Level 4–5 is only for isolated lab targets."
    },
    {
      "id": "Q12", "bloom": "application", "type": "multiple_choice",
      "prompt": "You want to put the scope rules in the system prompt and trust the model to honor them. A senior engineer reviews your design. What do they tell you?",
      "options": [
        "Good approach — the model understands scope well.",
        "Wrong. The model is a reasoner, not an access-control system. Scope must be hard-wired middleware. 'The LLM got confused' is not a defense to a § 1030(a)(2) charge.",
        "Acceptable, as long as you also log the model's decisions.",
        "Fine for CTFs but not for production."
      ],
      "answer_index": 1,
      "rationale": "Scope-as-prompt means the model makes authorization decisions by being asked nicely. If it scans out-of-scope anyway, the operator is liable. Scope enforcement middleware makes the question binary and auditable."
    },
    {
      "id": "Q13", "bloom": "application", "type": "multiple_choice",
      "prompt": "A target that was in scope last week was just decommissioned and acquired by another company. Your harness has the old scope file. What happens without intervention, and what is the fix?",
      "options": [
        "Nothing — old scope files remain valid indefinitely.",
        "The harness scans a no-longer-authorized host (Break 3: stale scope). Fix: scope file must carry valid_until and be re-verified before each session.",
        "The harness automatically detects the ownership change.",
        "The bug bounty platform automatically pushes scope updates to all harnesses."
      ],
      "answer_index": 1,
      "rationale": "Stale scope is Break 3 in the authorization chain. 'The scope was current last week' is not a defense. The scope file needs valid_until and re-verification each session."
    },
    {
      "id": "Q14", "bloom": "application", "type": "multiple_choice",
      "prompt": "Your harness finds a critical vulnerability but the vendor has not responded after 30 days. You want to publish immediately to pressure them. What does CVD say?",
      "options": [
        "Publish immediately — 30 days is more than enough.",
        "Wait for the CERT/CC default ~45-day coordination window (or the program's specified window) before public disclosure. Early disclosure can void safe harbor and raise legal claims.",
        "Publish to a private channel only — that bypasses all rules.",
        "Threaten the vendor with public disclosure as leverage."
      ],
      "answer_index": 1,
      "rationale": "CVD baseline: private report → vendor fix window (~45 days CERT/CC default, or the program's specified window) → coordinated public release. Early public disclosure can void safe harbor even when the initial finding was authorized."
    },
    {
      "id": "Q15", "bloom": "application", "type": "multiple_choice",
      "prompt": "A bug bounty program's safe harbor says it covers 'good-faith security testing.' The RoE says 'no automated scanners above 50 req/sec.' Your harness runs at 200 req/sec and triggers a brief outage. What is your legal position?",
      "options": [
        "Protected — safe harbor covers all good-faith testing.",
        "At risk. Safe harbor is CONDITIONAL on RoE compliance. Exceeding the explicit rate cap + causing an outage likely falls outside the safe harbor and may raise § 1030(a)(5) exposure.",
        "Protected — the rate cap is a guideline, not a contract term.",
        "Protected because the outage was brief and unintentional."
      ],
      "answer_index": 1,
      "rationale": "Safe harbor covers in-scope + RoE-compliant conduct only. An explicit rate cap is a contract term; violating it AND causing an outage likely voids the safe harbor. Intent for § 1030(a)(5) can be satisfied by recklessness."
    },
    {
      "id": "Q16", "bloom": "analysis", "type": "multiple_choice",
      "prompt": "An autonomous harness, operating at Level 4 autonomy, chains 40 out-of-scope actions against a non-authorized party before any human notices. The operator argues 'the model did it.' Analyze the liability.",
      "options": [
        "The model vendor is liable for the model's decisions.",
        "Shared liability between operator and model vendor.",
        "The operator is liable. The harness acted as the operator's instrument; liability does not transfer to the model. 'The model decided to' is not a defense.",
        "No liability — Level 4 autonomy implies the system self-authorizes."
      ],
      "answer_index": 2,
      "rationale": "The operator deployed, configured scope, and pointed the harness at a target. Every legal framework treats the operator of an automated tool as responsible for its acts. This is why production engagements run at Level 2–3 with approval gates."
    },
    {
      "id": "Q17", "bloom": "analysis", "type": "multiple_choice",
      "prompt": "A team argues their harness is safe because 'it has a strong sandbox.' They have no scope enforcement. Analyze the gap.",
      "options": [
        "No gap — a strong sandbox is sufficient.",
        "Critical gap. Sandbox and scope enforcement are TWO DIFFERENT CONTROL PLANES. Sandbox = what the agent can do locally. Scope = where it can reach. A great sandbox with no scope enforcement has contained the agent but let it attack the world.",
        "Minor gap — scope is a system-prompt concern.",
        "No gap as long as the sandbox blocks outbound network."
      ],
      "answer_index": 1,
      "rationale": "Sandboxing (containment) and scope enforcement (authorization) are orthogonal control planes. Both required. A sandbox that blocks outbound network entirely would prevent the harness from doing offensive work at all — the design requires controlled outbound, governed by scope."
    },
    {
      "id": "Q18", "bloom": "analysis", "type": "multiple_choice",
      "prompt": "Why does the evidence record need a 'scope reference' field that ties each finding to the specific scope entry that authorized the call?",
      "options": [
        "For performance — it speeds up deduplication.",
        "It is the legal anchor. It reconstructs the authorization chain to the atom, proving each action was permitted. A complete, scope-referenced evidence chain is the best protection against a 'you accessed this without permission' accusation.",
        "For CVSS scoring accuracy.",
        "It is optional metadata for reporting aesthetics."
      ],
      "answer_index": 1,
      "rationale": "The scope_ref field records which scope entry authorized which call, when. It produces the 'authorization chain to the atom' — the runtime proof of authorization that protects the operator if any action is questioned."
    },
    {
      "id": "Q19", "bloom": "analysis", "type": "multiple_choice",
      "prompt": "An engineer proposes storing every tool output (including raw HTTP responses that may contain PII) in a permanent evidence directory with no classification or retention limit. Analyze the risk.",
      "options": [
        "Safe — more evidence is always better.",
        "Building a compliance time bomb. Over-retention of PII/credentials from multiple clients creates a breach surface and violates GDPR/contractual data-handling obligations. Needs per-class retention with enforced destruction.",
        "Safe as long as the directory is encrypted.",
        "Safe if the directory is on the same host as the harness."
      ],
      "answer_index": 1,
      "rationale": "The evidence chain is protection until it becomes liability. Over-retention = holding PII/credentials you are not authorized to keep, creating GDPR exposure and breach risk. The control is a retention policy with per-class periods and enforced destruction."
    },
    {
      "id": "Q20", "bloom": "analysis", "type": "multiple_choice",
      "prompt": "After Van Buren, which of these is STILL a clean § 1030(a)(2) violation (i.e., Van Buren offers no shelter)?",
      "options": [
        "Accessing an authorized database for an improper personal motive.",
        "Using valid credentials to look up data you're permitted to access, but breaking an employer policy in doing so.",
        "Accessing a host or file the scope file never permitted — an area you were never authorized to access at all.",
        "Conducting security testing explicitly authorized by a bug bounty program within its RoE."
      ],
      "answer_index": 2,
      "rationale": "Van Buren narrowed (a)(2) to 'gates-down': improper purpose on an AUTHORIZED area is not a violation. But accessing an area NEVER authorized — out-of-scope host/file — remains a clean violation. The decision moved the fence, not removed it."
    },
    {
      "id": "Q21", "bloom": "analysis", "type": "multiple_choice",
      "prompt": "A program operator runs a bug bounty for a client but the program policy does not explicitly warrant that the client (asset owner) has authorized testing. Analyze the authorization chain.",
      "options": [
        "Intact — the program operator's existence implies owner authorization.",
        "Broken at Break 1 (Sponsor ≠ Owner). Without an explicit chain-of-authorization clause, the sponsor may not hold the owner's authorization, voiding downstream cover.",
        "Intact — bug bounty platforms always carry owner authorization by default.",
        "Broken at Break 3 (stale scope)."
      ],
      "answer_index": 1,
      "rationale": "Break 1: Sponsor ≠ Owner. A program operator that does not explicitly warrant owner authorization breaks the chain. The operator may not have the legal standing to grant you authorization to test the owner's assets."
    },
    {
      "id": "Q22", "bloom": "analysis", "type": "multiple_choice",
      "prompt": "A team wants to automate CVSS scoring as a final, authoritative severity for client reports. Why is this a mistake?",
      "options": [
        "CVSS is obsolete and should not be used at all.",
        "Hallucination risk. The model can produce a confident but wrong CVSS vector. Automate as a DRAFT for human review only; the final score is a human decision, especially for client-facing reports.",
        "CVSS cannot be computed by software.",
        "Automation is fine — CVSS is purely deterministic."
      ],
      "answer_index": 1,
      "rationale": "CVSS vectors require judgment about exploitability and impact that the model may get wrong. S03.4 / S11 cover this: automate the draft, human reviews and finalizes. A wrong CVSS in a client report undermines credibility."
    },
    {
      "id": "Q23", "bloom": "analysis", "type": "multiple_choice",
      "prompt": "Compare the GDPR risk vs the computer-crime risk in an EU pentest where the harness exfiltrates real customer data as 'proof.' Which is the larger exposure?",
      "options": [
        "Computer crime — the access itself is the main risk.",
        "GDPR is the dominant risk. Exfiltrating PII makes you a data controller (Art. 5/32) with a penalty ceiling of €20M or 4% of global turnover — often dwarfing any computer-crime exposure. This is the single most underestimated risk in EU testing.",
        "Neither — proof exfiltration is standard practice.",
        "NIS2 reporting obligations are the main risk."
      ],
      "answer_index": 1,
      "rationale": "Most engineers focus on the access (computer crime) and miss that RETAINING personal data triggers GDPR independently. The data-handling act is a separate offence with a higher penalty ceiling. Minimum-proof discipline exists precisely because of this."
    },
    {
      "id": "Q24", "bloom": "analysis", "type": "multiple_choice",
      "prompt": "Your harness proposes an out-of-scope action. The scope enforcement middleware blocks it. The model, on the next turn, tries to reason around the block by rephrasing the request. What does this reveal about the design, and what is the correct response?",
      "options": [
        "The middleware is buggy and should be relaxed.",
        "This confirms the middleware is correctly placed as a hard control that does not depend on model compliance. The block holds regardless of the model's reasoning. This is exactly why scope is enforced in code, not in the prompt.",
        "The model should be given a stronger system-prompt instruction instead.",
        "The harness should escalate autonomy to bypass the block."
      ],
      "answer_index": 1,
      "rationale": "The model attempting to route around the block is the precise scenario scope-enforcement-in-code is designed for. The block is independent of model behavior. A prompt-based scope would have failed here; the middleware held. This validates the architecture."
    },
    {
      "id": "Q25", "bloom": "analysis", "type": "multiple_choice",
      "prompt": "Why is the authorization chain described as 'cover is created only at the top (asset owner's consent), everything below is transmission'?",
      "options": [
        "Because lower links can grant authorization independently.",
        "Because legal cover originates only from the asset owner's actual consent. Each lower link (sponsor, policy, scope file, middleware) only TRANSMITS and formalizes that consent down to the atomic tool call. No lower link can create cover the owner never gave.",
        "Because the scope file is the legally binding document.",
        "Because the middleware creates the authorization."
      ],
      "answer_index": 1,
      "rationale": "Authorization flows top-down. The asset owner's consent is the only origin of legal cover. Every layer below — sponsor, policy, scope file, middleware — is a transmission and formalization mechanism. A break anywhere voids downstream cover because nothing below can independently create it."
    }
  ]
}
