The trouble is I am afraid of being sanctioned for uncovering security problems in a system. Other students have been threatened with criminal prosecution by University officials (which is stopped when a tenured professor steps in). It seems to be normal now that companies sue to cover up security research instead of fixing the problem.
This story from the Washington Post only deepens my concern.
So my question is: How do you do security research without the risks of ending up in court or in jail?