How, exactly, when you qualify it with, "However, the new policy acknowledges that claiming to be conducting security research is not a free pass for those acting in bad faith. For example, discovering vulnerabilities in devices in order to extort their owners, even if claimed as “research,” is not in good faith."?
Seems the rando researcher is subject to the same liabilities as before.
I think that line is just there to state the obvious that you can't say "security researcher" and get off free... your actions determine if you are acting as a researcher, not just a claim.
"discovering vulnerabilities in devices in order to extort their owners, even if claimed as “research,” is not in good faith."
If I had just discovered a vulnerability, and didn't have a written contract authorizing me to do the research, I wouldn't feel the least bit of additional protection from this policy change, and would probably refrain from extorting the owner.
Edit: I had read "extorting" as "extolling" and associated with notification, not extortion. (I even typed "extorting" in this response.) I stand corrected, as extortion changes the tone of the qualification.
"We're not going to charge people for security research", might reduce the chilling effects of some company threatening some rando researcher.