A number of years ago, upon getting a Jury Duty notice, I took an observational look at the security of the jury registration site. It quickly became apparent, without exploitation that it was XSS and SQLi vulnerable. I immediately reached out to the local court IT director with a disclosure, ensuring that I was as clear as possible on the fact that I did not exploit the system. She contacted me within an hour and I worked with her office over the course of the next several months to confirm the vulnerabilities and in the end, retire the solution entirely by justifying the budget for replacement. I went from an annoying security researcher to valuable partner. Later that year a number of developers from her team joined me for my annual DEFCON outing and were extremely grateful for the discovery and how I handled it as they'd been trying to get the solution replaced for years.<p>Unfortunately a lot of people either don't know where the line is or don't have the skills to know how to not cross the line. Far too many times I see people toss a tool like SQLMap at something rather than understanding how SQLi works. If you understand SQLi, honestly there is very little need to run an automated discovery and exploitation tool against it, even in cases of blind SQLi, that comes when you have permission which in my experience isn't hard to get if you come to the table with credible observational security findings.<p>This particular case appears to be a cut and dried case of attempting to use hacking for political gain.