@WPalant arguably, it shouldn't matter how strong the protection was. The purpose of security research is to find flaws in protections, the same flaws that could be used to do something malicious. That's the whole point. The differemce between a security researcher and a cybercriminal isn't what protections they bypass, it's what they do after they find out that they can bypass a protection.
Do they report it to the vendor? Or exfiltrate data and sell it on black market?
1/
@WPalant Which is why I think for laws concerning this to be reasonable, they must make it legal to bypass all protection mechanisms as long as you report your findings to the vendor and don't use the bypass to cause harm or for personal gain.