If you are looking into a problem on hardware or software you own, then I have no problem with that. That is exactly what you describe. Ditto if the equipment / software belongs to someone you work for, or a customer, and they have asked you to check it out. Heck, I do THAT sort of thing (though in a much different area of electronics) all the time. If you inform the hardware / software provider that there is a problem, and then they do not respond after several such attempts, then ok: If you feel that you should alert others so that they can take appropriate safeguards, that’s fine too. What I have a problem with is people who try to “break in”, so to speak, where they have not been invited, where they have no ownership, etc.
Now, if you send commands to a web server in order to view what’s on someone’s website, such as in response to an implied invitation, of course that’s ok. Ie., “Come check out our cool products” is essentially the message if someone puts up a web site with their products listed therein. If that website generates so much legitimate traffic that it crashes, well, that’s a good problem to have! (And a better one to solve.) But if someone starts sending that website strings of data that can throw a monkey wrench into the works, INTENDING that result or possible result, uninvited, then that someone is in the wrong. So far as I know, my web browser sends out a lot of “inquiries”, but does not intentionally try to break into other’s accounts uninvited, throw that proverbial monkey wrench into the works just to see sparks fly, etc.
Put another way, it is one thing for someone to come to my door and knock, to request to come in. It’s quite another for them to pick the lock and come in without my permission.
As an aside, I would mention that not so many years ago, in probably the majority of the land area of the U.S., most people found it unnecessary to lock their house or car during the day. Robert Heinlein postulated much the same thing in a future society he described in “The Moon Is A Harsh Mistress.” I think it has to do both with self respect / honor, and with respect for others.
Well, that's the problem. Internet protocols are designed for flexibility. What today might be a string of data that horks up a system, tomorrow might be accepted as a new, useful feature.
As such, servers on the Internet are supposed to accept all data sent to them, discard the stuff they don't know what to do with and properly process the rest.
It a web server takes a string of data and does something harmful, that's a bug. There are people that intentionally search for such things. And there are times when such things are found by accident.
Put another way, it is one thing for someone to come to my door and knock, to request to come in. It’s quite another for them to pick the lock and come in without my permission.
Quite true. If someone disables the locks on your house, that person is a criminal. That person should be prosecuted.
However, if you've been told time and time again that there is a bug in your brand of locks, and a good thump will disable them, then you are at fault for not doing something about it. It's not something you should be prosecuted for, and it doesn't negate the fact that the person doing the bumping is a criminal, but expect to be chastised for not taking the vulnerability seriously.