There's an assumption in here that every developer is spending a load of money on the latest and most capable LLMs to scan for bugs in their code before every release.
But the last couple of decades have shown us that huge numbers of developers aren't even following basic and free secure development practices, let alone pouring money into expensive scanning tools.
There is a history of companies and organisations threatening legal action against security researchers when they report vulnerabilities in their systems or products.
Sometimes even when the testing has been completely offline - I know people who have downloaded some software, carried out testing against a local copy of it, and then faced legal threats when they tried to report serious security vulnerabilities to the vendor.
It's one of the reasons that some researchers don't bother trying to talk to the vendors and just go straight to full disclosure, or if they do report to vendors they do so anonymously. But if you have to pay, that's creating a link back to yourself which makes the latter much harder.
If I've stumbled across what I think is a security issue in your systems, there is zero chance that I'm going to get out my credit card and pay you for the privilege of responsibly disclosing it to you. Especially if it's the vulnerability is in the site hosting the contact form.
Historically there have been vulnerabilities in various applications due to HTTP method tampering, and in the days of people accidentally leaving WebDAV enabled then methods like PUT and DELETE could be very damaging. Plus the issues with TRACK and TRACE.
Given that most websites only ever use a handful of methods (even once you account for REST APIs using PUT, PATCH and DELETE now), and that list very rarely changes, the WAF developers tend to look at this question from the opposite angle: when you know there are only half a dozen widely used methods, why would you allow anything else by default?
Legally speaking, no - it would still be a criminal offence.
Practically speaking, there is zero chance that the USA would extradite someone to Iran, even if they weren't currently at war with them. Whether they did anything about it would probably depend on exactly what the situation was - there's a big of difference between targeted IRGC or defence systems and ransomwaring an Iranian hospital or scamming random citizens.
Where they'd probably get you is if you tried to monetise it, and get stolen/extorted cryptocurrencies (or whatever) into your bank account. But that could easily fall under tax evasion laws rather than computer misuse ones, because they'd be a lot easier to prove in court.
It would be very dependent on the exact circumstances - who made a complaint, what exactly they're accusing you of, what evidence there is, how high profile it is, the current diplomatic position (which changes by the hour), etc, etc. I don't think you can really get a simple answer for this kind of question.
There's been a lot of nice quality of life changes in the 3.7 builds (which has now become 5.0.0) that make going back to the older versions a bit painful.
Also some pretty major gameplay and balance changes, some of which are pretty controversial. But overall, I think that it's a big improvement, and although I don't necessarily agree with all the changes it certainly makes the mid and late game a lot more interesting and varied (not to mention dangerous) than it was in 3.6.7.
Against the Storm (and excellent rouguelite city-builder) does this in a really cool way. Pausing is a core mechanic of the game, and you frequently pause while you place building or things like that - and all the visual animations stop (fire, rain, trees swaying, etc).
But when you find a broken ancient seal in the forest, the giant creepy eyeball moving around in it keeps moving even when you pause the game, which helps emphasise how other-worldly it is.
But the last couple of decades have shown us that huge numbers of developers aren't even following basic and free secure development practices, let alone pouring money into expensive scanning tools.
reply