Module S00 — Legal, Ethics, and Rules of Engagement
Legal, Ethics, and Rules of Engagement
Non-optional. You are building attack tools. The authorization chain, the disclosure obligations, and the four legal risks unique to autonomous harnesses.
60
minutes
8
artifacts
3
sub-sections
The difference between a bug bounty payout and a federal indictment is not the tool. It is the authorization. A general harness that calls the wrong file wastes a token; a security harness that hits the wrong host commits a crime. This module makes the legal layer explicit — the foundation every engineering decision in Course 2A stands on.
Key Claims
Load-Bearing Claims
Authorization is the harness's license to exist — the difference between a payout and an indictment, not a legal footnote.
Van Buren (2021) narrowed the CFAA but did not remove the gate. Out-of-scope access remains cleanly unprotected. Build the gate (scope enforcement), not a motive detector.
Scope enforcement is a legal control, not an engineering preference. "The LLM got confused" is not a defense to a § 1030(a)(2) charge.
Liability does not transfer to the model. The operator deployed the instrument. Production runs at Level 2–3 autonomy because the approval gate is a legal control.
After This Module
01
Distinguish authorized testing from illegal access under the CFAA, the Computer Misuse Act, and EU regimes — and explain what Van Buren v. United States (2021) changed.
02
Trace an unbroken authorization chain from asset owner to a single harness tool call, and identify the breaks that void legal cover.
03
Read a bug bounty policy as a contract — extract scope, safe harbor, rules of engagement, and evidence obligations into a machine-checkable scope file.
04
Write a CVD timeline and an evidence retention policy that protects both you and the client — including what you must not retain.
05
Define the four harness-specific legal risks (DoS-by-scanner, out-of-scope calls, evidence retention, agentic escalation) and the control for each.
Artifacts
01
Teaching Document
~5,200 words; 3 sub-sections — CFAA/Van Buren, CMA, EU/GDPR, authorization chain, CVD, evidence, harness-specific risks
READ
02
Diagrams
7 diagrams — authorization chain, scope enforcement n8n middleware, gates-down statechart, DoS threshold, evidence lifecycle, CVD timeline, liability flow
READ
03
Slide Deck
reveal.js slide deck, dark theme, design-system teal
READ
04
Teaching Script
Verbatim teaching transcript, [SLIDE N] cues
READ
05
Flashcards
Anki flashcards (TSV)
TEST
06
Exam
Exam bank, Bloom-distributed
TEST
07
Lab Spec
3 labs — scope JSON, CVD + retention templates, pre-engagement checklist (produces the input to S01's scope middleware)
DO
08
Module Web Page
Single-file HTML hub
HERE