http://www.law.cornell.edu/uscode/text/18/1030
Here are the relevant sections:
(a) Whoever--So this means that any server on the Internet is protected, because it is used in interstate communication, and any act intended to gain information about a vulnerability is an offense, unless you are authorized to perform vulnerability scans.
(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains--
(C) information from any protected computer;
shall be punished as provided in subsection (c) of this section.(e) As used in this section--
(2) the term "protected computer" means a computer--
(B) which is used in or affecting interstate or foreign commerce or communication...
But isn't there a question of intent? There is, but it's not a helpful one for security researchers--if your intent is to discover a vulnerability, you are violating the CFAA. You don't need any intent to cause harm or defraud.
As many others have said, I see this as a serious problem, making many common and important research activities illegal, such as Robert Graham's Bash 'shellshock' scan of the Internet.