DMGWhistleblower or Criminal?
Security Focus reports that a 25-year-old Eric McCarty has been charged with breaching USC computer security after reporting the vulnerability to Security Focus.
DOJ attourney Michael Zweiback says that McCarty ran afoul of the law when he went beyond demonstrating the vulnerability and "gained additional information regarding the personal records of the applicant."
Now, obviously, there may be more to the story.
But it's been my experience that if you suspect a security problem, you're caught in a catch-22. Call the owner of the system and report the problem, and they'll ignore you. Demonstrate the problem so that they can't ignore you, and you get arrested.
From the article at Security Focus, it looks like McCarty is getting screwed to the tune of 10 years in prison.
Update 4/26: I'm far from the only one concerned. Security Focus has more.
Update 5/10: Wired: Spot a Bug, Go to Jail