There is not clear legal structure, but two practices are commonly advertised by white-hat professionals:
- only test your access on your own (test) accounts; as long as then can’t prove that you accessed someone else’s information, you should be fine; anecdotally, I have worked for Facebook, where you are not supposed to create fake accounts; on the white-hat page, you can ask to have test accounts for that purpose exclusively: those are entirely independent from the rest of the graph and you are joyfully encourage to try to hack yours;
- warn the security team ahead of time and tell them without feedback from them, you will publish the information in X weeks. If what you have found is valuable, you should hear back fast; if they do not respond, you can argue that it was their silence who let you know this was not their priority (a legally dubious argument but most of the community will be happy to criticise their silence). You are not bound by their response (some corporations can be very unreasonable) but specifying that you have not hacked any account except a test one should help you if they throw lawyerese at you.
One way to avoid being caught off-guard by those is to have a bounty program, but that’s not in security consultants’ hands.
- only test your access on your own (test) accounts; as long as then can’t prove that you accessed someone else’s information, you should be fine; anecdotally, I have worked for Facebook, where you are not supposed to create fake accounts; on the white-hat page, you can ask to have test accounts for that purpose exclusively: those are entirely independent from the rest of the graph and you are joyfully encourage to try to hack yours;
- warn the security team ahead of time and tell them without feedback from them, you will publish the information in X weeks. If what you have found is valuable, you should hear back fast; if they do not respond, you can argue that it was their silence who let you know this was not their priority (a legally dubious argument but most of the community will be happy to criticise their silence). You are not bound by their response (some corporations can be very unreasonable) but specifying that you have not hacked any account except a test one should help you if they throw lawyerese at you.
One way to avoid being caught off-guard by those is to have a bounty program, but that’s not in security consultants’ hands.