Except that, if you're going after the bounty, you'll have read the rules, which define the particular attempts you're making as out of bounds, i.e., still malicious.
I'm trying, but failing, to find a recent article about a guy who found a password in a dropbox for another company that had a "hack us" contest, and subsequently was indirectly accused of potentially illegal conduct (they settled on sending him a shirt instead of money).
That's my point though, he certainly didn't go to jail, did he?
These are still new enough that a person could mask any legitimate hacking attempts in the guise of "I didn't know I couldn't do that". So you get to be as malicious as you'd like, and no one's going to come after you, lest an Internet mob forms or something.
It wasn't a hack us contest, just a bug bounty that applied to a limited number of domains (not including whatever site the dropbox password went to). That's what I remember, anyway.
I'm trying, but failing, to find a recent article about a guy who found a password in a dropbox for another company that had a "hack us" contest, and subsequently was indirectly accused of potentially illegal conduct (they settled on sending him a shirt instead of money).