County pays $600,000 to pentesters it arrested for assessing courthouse security

In a significant legal resolution, two security experts will receive $600,000 from an Iowa county after being wrongfully arrested during an authorized security evaluation of a courthouse in 2019. Gary DeMercurio and Justin Wynn, employed by the security company Coalfire Labs, were conducting a 'red-team' exercise aimed at identifying vulnerabilities in the courthouse's defenses. With explicit permission from the Iowa Judicial Branch, the duo's exercise was designed to simulate real-world attacks, including physical security breaches like lockpicking, without causing substantial damage. Despite having the necessary authorization, DeMercurio and Wynn were taken into custody and faced felony burglary charges, spending 20 hours in jail before being released on bail. The charges were later downgraded to misdemeanors, yet Sheriff Chad Leonard continued to assert that their actions were illegal. This incident has raised serious concerns within the cybersecurity community, as it sends a discouraging message about the risks faced by security professionals performing legitimate assessments. Wynn expressed his apprehension, stating that such actions threaten public safety rather than enhance it, as they deter experts from helping governments identify and address security weaknesses. The night of their assessment on September 11, 2019, was intended to be routine, but a simple act of closing an unlocked door led to a chain reaction that resulted in their arrest. The incident has sparked a broader discussion about the need for clearer protections for security professionals engaged in authorized assessments.