@WPalant arguably, it shouldn't matter how strong the protection was. The purpose of security research is to find flaws in protections, the same flaws that could be used to do something malicious. That's the whole point. The differemce between a security researcher and a cybercriminal isn't what protections they bypass, it's what they do after they find out that they can bypass a protection.
Do they report it to the vendor? Or exfiltrate data and sell it on black market?
1/