County pays $600,000 to pentesters it arrested for assessing courthouse security

County pays $600,000 to pentesters it arrested for assessing courthouse security

Briefly

"The case was brought by Gary DeMercurio and Justin Wynn, two penetration testers who at the time were employed by Colorado-based security firm Coalfire Labs. The men had written authorization from the Iowa Judicial Branch to conduct "red-team" exercises, meaning attempted security breaches that mimic techniques used by criminal hackers or burglars. The objective of such exercises is to test the resilience of existing defenses using the types of real-world attacks the defenses are designed to repel."

"The event galvanized security and law-enforcement professionals. Despite the legitimacy of the work and the legal contract that authorized it, DeMercurio and Wynn were arrested on charges of felony third-degree burglary and spent 20 hours in jail, until they were released on $100,000 bail ($50,000 for each). The charges were later reduced to misdemeanor trespassing charges, but even then, Chad Leonard, sheriff of Dallas County, where the courthouse was located, continued to allege publicly the men had acted illegally and should be prosecuted."

"Reputational hits from these sorts of events can be fatal to a security professional's career. And of course, the prospect of being jailed for performing authorized security assessment is enough to get the attention of any penetration tester, not to mention the customers that hire them. "This incident didn't make anyone safer," Wynn said in a statement. "It sent a chilling message to security professionals nationwide that helping [a] government identify rea"