"What US statute is the primary federal computer-intrusion law, and which two subsections matter for security testing?"	"18 U.S.C. § 1030 (CFAA). § 1030(a)(2) = accessing 'without authorization' or 'exceeding authorized access.' § 1030(a)(5) = intentional/reckless damage. Both civil and criminal liability."	c2a::s00::recall
"What did Van Buren v. United States (593 U.S. 374, 2021) hold, in one sentence?"	"'Exceeds authorized access' means accessing a file/folder/database you are NOT authorized to access at all — NOT accessing an authorized area for an improper purpose. The 'gates-down' interpretation."	c2a::s00::recall
"Did Van Buren create a general good-faith defense to CFAA? Did it touch the threshold question of authorization itself?"	"NO to both. It narrowed the CFAA re: misuse of AUTHORIZED access. It did NOT create a good-faith defense, and out-of-scope access (never authorized) remains cleanly unprotected. 'Moved the fence, did not remove it.'"	c2a::s00::analysis
"For a harness, what does the gates-down model make authorization?"	"Binary at the gate. Either the scope file permits the target, or the tool call is a potential § 1030(a)(2) violation. Build the gate (scope enforcement), not a motive detector."	c2a::s00::application
"How does the UK Computer Misuse Act 1990 differ from the post-Van Buren CFAA for researchers?"	"Broader, and NO statutory researcher safe harbor. Good faith is NOT a defense to section 1 (unauthorised access). A harness reaching a UK target needs WRITTEN authorization from the asset owner."	c2a::s00::recall
"Is there a single 'EU CFAA'? Name the actual layers."	"NO single statute. Layered: Directive 2013/40/EU (member-state crimes, e.g. DE §202a StGB, FR art. 323-1) + GDPR (the dominant risk — PII capture makes you a data controller) + NIS2 (incident reporting)."	c2a::s00::recall
"Is the EU Cyber Resilience Act a pentest-authorization statute?"	"NO. The CRA (Reg. 2024/2847) imposes product-security obligations on MANUFACTURERS of products with digital elements. It is adjacent to this module, not central. Treating it as a pentest law is a category error."	c2a::s00::analysis
"What is the single most underestimated legal risk in EU security testing, and why?"	"GDPR. A harness that retrieves personal data as 'proof' makes you a data controller (Art. 5 lawfulness, Art. 32 security). Penalty ceiling: €20M or 4% of global turnover. Most engineers never account for this."	c2a::s00::analysis
"What is the 'authorization chain,' and what is the rule about breaks in it?"	"The unbroken sequence of permissions from asset owner → sponsor → policy/SOW → scope file → scope enforcement middleware → individual tool call. A break ANYWHERE voids legal cover for everything downstream. Cover is created only at the top (owner's consent)."	c2a::s00::recall
"Name the three breaks in the authorization chain."	"(1) Sponsor ≠ Owner (operator doesn't hold owner authorization). (2) Action outside RoE (in-scope host, forbidden action — still legally out of scope). (3) Stale scope (target removed since the file was written; 'was current' is not a defense)."	c2a::s00::recall
"Why must the scope file carry a valid_until date?"	"Bug bounty scopes change — targets get decommissioned, sold, or explicitly removed. A harness with a stale file scans no-longer-authorized hosts. valid_until + re-verification each session prevents stale-scope drift (Break 3)."	c2a::s00::analysis
"A bug bounty program policy is a ___, not a ___. What does that mean?"	"A CONTRACT, not a guideline. Reciprocal obligations: authorization + safe harbor in exchange for RoE compliance. Breach the RoE → potentially breach the contract → LOSE the safe harbor that was your legal protection."	c2a::s00::recall
"What is the Disclose.io / HackerOne / Bugcrowd standard for scope?"	"Scope must be an EXHAUSTIVE list of in-scope properties for which the org explicitly provides safe harbor — NOT 'anything *.example.com.' Exclusions override apparent in-scope matches and are checked AFTER matching."	c2a::s00::recall
"Scope (target list) vs Rules of Engagement — what's the difference, and why does a harness need to enforce BOTH?"	"Scope = WHERE you may test. RoE = WHAT you may do (minimum testing, no DoS, no exfil, rate caps). A harness enforcing only the target list is enforcing half the contract. An RoE-violating action on an in-scope host is legally out of scope."	c2a::s00::analysis
"What is CVD, and what is the CERT/CC default coordination window?"	"Coordinated Vulnerability Disclosure: report privately → give vendor a fix window → coordinate public release. CERT/CC default = ~45 days (a norm, not a law). Google Project Zero = ~90 days. Program policy overrides the default."	c2a::s00::recall
"What are the minimum evidence fields for a security finding? (Name 6+)"	"Timestamp (UTC) · Session/trace ID · Exact request · Exact response · Tool + version · CVSS (draft) · Reproduction steps · SCOPE REFERENCE (the legal anchor tying the finding to the authorization)."	c2a::s00::recall
"Why is the 'scope reference' field the most important field in an evidence record?"	"It is the legal anchor — it ties the finding to the specific scope entry that authorized the call that produced it. A complete, timestamped, scope-referenced evidence chain is the single best protection against a 'you accessed this without permission' accusation."	c2a::s00::analysis
"For a SQLi, distinguish the finding, the proof, and the breach."	"'I can read the users table' = the finding. SELECT COUNT(*) FROM users = the proof. SELECT * FROM users = a breach you just committed (you became a data controller for that data). Capture MINIMUM proof."	c2a::s00::application
"Name the four evidence retention classes and their retention rules."	"Public (no sensitive data) → retain indefinitely. Redacted → retain for engagement + contractual tail. Restricted (real PII/credentials) → destroy on report or per contract, whichever sooner. Document the destruction, not the data."	c2a::s00::recall
"What is the single biggest danger of an unbounded evidence store?"	"You hold a trove of PII + credentials from multiple clients, each with their own regulatory constraints. You have built a breach surface and a compliance violation. An evidence logger that writes forever and never destroys is a compliance time bomb, not an evidence chain."	c2a::s00::analysis
"Is there a bright-line request rate that separates scanning from DoS? What is the actual threshold?"	"NO bright line. The threshold is EFFECT-BASED: if your scanning materially impairs the target's availability, you're in DoS territory — intent satisfied by RECKLESSNESS under several readings of § 1030(a)(5) and CMA s.3."	c2a::s00::analysis
"What four operational heuristics reduce DoS risk when scanning?"	"(1) Default low concurrency (ffuf -t 10, not 500). (2) Rate-limit below visible tolerance (never trip the target's own defenses). (3) Back off on distress (5xx, resets, latency, rate-limits = STOP condition). (4) Respect explicit RoE rate caps from the scope file."	c2a::s00::application
"Scope enforcement as a legal control vs scope as a system-prompt line — contrast the liability implications."	"System-prompt line: model scans out-of-scope anyway → YOU are liable; 'the LLM got confused' is not a defense. Hard-wired middleware: harness CANNOT act outside scope regardless of model → exposure collapses to 'did the scope file authorize this?' (auditable, binary)."	c2a::s00::analysis
"Scope enforcement and code-execution sandboxing are ___. Explain."	"TWO DIFFERENT CONTROL PLANES. Scope = WHERE the agent can reach. Sandbox = WHAT it can do locally. Both required. A harness with a great sandbox but no scope enforcement has contained the agent but let it attack the world."	c2a::s00::analysis
"If an autonomous harness exceeds authorization, who is liable? Is 'the model did it' a defense?"	"The OPERATOR (you) is liable. The harness acted as your instrument; you deployed, configured scope, pointed it at a target. Liability does NOT transfer to the model. 'The model decided to' is not a defense now and unlikely to become one."	c2a::s00::recall
"Name the four controls that flow from accepting operator liability for agentic escalation."	"(1) Autonomy ≤ Level 3 in production (propose→approve→execute). (2) Scope enforcement in code (survive model ignoring the instruction). (3) Audit log: scope_ref per call (reconstruct authorization). (4) Kill switch + bounded blast radius."	c2a::s00::recall
"What autonomy level is appropriate for real bug bounty/pentest engagements vs isolated lab targets?"	"Real engagements: Level 2–3 (propose→approve→execute; the approval gate is a legal control). Level 4–5 (high autonomy) is ONLY for isolated labs, CTFs, benchmark runs — never real programs."	c2a::s00::application
"What CFAA subsection criminalizes intentional/reckless damage, and how does it apply to scanners?"	"§ 1030(a)(5). Reaches reckless and even negligent damage in some readings. An autonomous scanner that takes down a production endpoint — even unintentionally — can cross from civil to criminal exposure. The rate-limit+distress middleware is an (a)(5) mitigation."	c2a::s00::analysis
"Why is CVSS scoring automated only as a DRAFT, never as a final score?"	"Hallucination risk is real here. The model can produce a confident but wrong CVSS vector. Automate as a draft for human review; the final score is a human decision, especially for client-facing reports."	c2a::s00::recall
"What does the scope_ref stamp on a tool call record, and why does it exist?"	"It records WHICH scope entry authorized THIS call at THIS time (e.g. 'target::action::ISO timestamp'). It produces the 'authorization chain to the atom' — the runtime proof that protects the operator if a call is ever questioned. The legal layer realized as a log field."	c2a::s00::application
