Attrition.org has a list of 23 security researchers since 2000 who have faced legal threats by vendors. They offer this analysis/message.
Companies: embrace researchers who are trying to improve the security of your products. Work with them, fix vulnerabilities, and coordinate disclosure. This will go a lot farther toward building customer confidence and help avoid negative publicity.
That number surprises me. Only 23? Given thousands of security bugs reported each year and nearly 50,000 reported to NIST there must be more threats, no?
The Attrition.org site also includes a few counter-examples of “incidents where it was not ‘security research’, but rather activity that was considered a crime by current laws (at the time)” such as installing a keylogger.
Only 23? Probably not. 23 is all we have found or had submitted to us. If there are more, we’d love to know about them.
Thanks for your comment. Do you have a submission form/address? The 2009 halt to Barnaby Jack’s talk comes to mind as another example: “ATM Malware Author Sentenced: 27mos in Prison”