From: McCarty, Eric C. (emccarty@er.ucsd.edu)
Date: Mon Mar 05 2007 - 13:44:36 EST
Honestly the problem is two-fold
1). The laws today (in the US) no longer require malicious intent to be
shown in an unauthorized access, so imagine you find and report a
vulnerability (with no intent to exploit it for personal gain), you can
still be charged with felony unauthorized access and chances are you
will be convicted.
This means a XSS vulnerability you find in a website hosted in the US by
typing in http://site.com/script.php?