Module S00 — Legal, Ethics, and Rules of Engagement

Legal, Ethics, and Rules of Engagement

Non-optional. You are building attack tools. The authorization chain, the disclosure obligations, and the four legal risks unique to autonomous harnesses.

60
minutes
8
artifacts
3
sub-sections
The difference between a bug bounty payout and a federal indictment is not the tool. It is the authorization. A general harness that calls the wrong file wastes a token; a security harness that hits the wrong host commits a crime. This module makes the legal layer explicit — the foundation every engineering decision in Course 2A stands on.
Key Claims
Load-Bearing Claims

Authorization is the harness's license to exist — the difference between a payout and an indictment, not a legal footnote.

Van Buren (2021) narrowed the CFAA but did not remove the gate. Out-of-scope access remains cleanly unprotected. Build the gate (scope enforcement), not a motive detector.

Scope enforcement is a legal control, not an engineering preference. "The LLM got confused" is not a defense to a § 1030(a)(2) charge.

Liability does not transfer to the model. The operator deployed the instrument. Production runs at Level 2–3 autonomy because the approval gate is a legal control.

After This Module
01
Distinguish authorized testing from illegal access under the CFAA, the Computer Misuse Act, and EU regimes — and explain what Van Buren v. United States (2021) changed.
02
Trace an unbroken authorization chain from asset owner to a single harness tool call, and identify the breaks that void legal cover.
03
Read a bug bounty policy as a contract — extract scope, safe harbor, rules of engagement, and evidence obligations into a machine-checkable scope file.
04
Write a CVD timeline and an evidence retention policy that protects both you and the client — including what you must not retain.
05
Define the four harness-specific legal risks (DoS-by-scanner, out-of-scope calls, evidence retention, agentic escalation) and the control for each.
Artifacts