I know there was one about a bug bounty researcher finding massive vulnerabilities in a chinese companies drones(link below). They then claimed he went out of scope(he didn't), and threatened to sue him. A few other cases were reported on zdnet a few months back about some cases like this. Mostly website/product owners leaving their systems vulnerable after being contacted. Months/years later some researchers did a public disclosure and the companies then tried/did take legal action.
Long story short: they didn't sue him. Their legal demanded that he delete DJI IP and secrets. It wasn't a friendly demand, but that's all it looks like it was.
The earliest instance I remember was the DeCSS debacle. In 2001 Dmitry Sklyarov published issues he found with the back-then popular so-called "copy protections". When he gave a talk at DEF CON in Las Vegas, he was arrested.
- He is a Russian who exercised free speech in the US, and got arrested right there. Imagine that happening with the roles of US and Russia reversed!
- He was only dropped from prosecution in exchange for agreeing to testify and to leave the US. Again, imagine that happening with the roles of US and Russia reversed!
- He essentially provided free research, sharing their findings with the public, instead of abusing them in private.
- It was not even a serious security issue. It was just a flaw in a system which nobody expected to work for long anyway. (Really, how could copy protection ever work without exercising full control over all audio and video hardware? And even those could be reverse engineered over time.)
- Plain copyright law was sufficient to cause all that trouble for him. No computer security laws or homeland security laws were needed.
These are mostly bad examples, and pretty much none of them are examples of the phenomenon being talked about on this particular subthread:
1. Keeper is suing Dan Goodin, a reporter, for (I think?) defamation. (Keeper is evil and you should never use them, but they're not pursuing the researcher under CFAA or DMCA).
2. Chris Vickery found a database backup of a whole company, analyzed it and found that they were shady, and published directly from the database backup. That's not really vulnerability research, and is a bit akin to finding a vulnerability and then using it to dump an account table to Pastebin.
3. PwC C&D'd (but didn't sue) a firm called ESNC. The software ESNC was testing was available only under an NDA license; I assume ENSC got access transitively through a client. This happens a lot in enterprise pentesting. ESNC published anyways, and nothing happened.
4. DJI rescinded KF's authorization to continue testing when he refused to accept the terms of a bounty (which included both disclosure limitations [which may or may not have been reasonable] and a promise not to do post-compromise pivoting [which is entirely DJI's prerogative]). KF rejects the bounty terms, and DJI legal gets involved and demands that he delete any DJI IP or secrets he's taken. This is unfriendly, but not a lawsuit.
Given the rather asymmetric nature of the power in these interactions, even something as simple as just being responded to with a legal letterhead rather than an email from the security department has a stifling effect I'd argue.
