I was going to say the headline of the post, "I hacked..." could almost be taken as a confession. But that's not the actual title of the linked article. I'm almost tempted to flag this submission for clickbait embellishment in the title.

It was submitted by the author: https://news.ycombinator.com/item?id=43966279.

Yeah, I agree Auernheimer was a much more attractive target for prosecution, but do you think this student is legally safe in what they're doing here?

I would personally not scrape the endpoint to collect statistics and inform the severity estimation, but I'm a lot more risk averse than most. But prosecution of good-faith security research is disfavored, so as long as you don't do anything to breach the assumption of good faith (as defendants in the trial you mentioned repeatedly did) I think you're probably fine.

The bigger thing is just that there's no actual win in scraping here. It doesn't make the vulnerability report any more interesting; it just reads like they're trying to make the whole thing newsier. Some (very small) risk, zero reward.