Opinion on grey hat hacking – Digitalmunition

Home Forums Opinion on grey hat hacking

This topic contains 1 reply, has 2 voices, and was last updated by  iCkerous 1 month ago.

  • Author
  • #282405


    Hey, I have been “hacking” for a while now. And was wondering how companies usually react to getting attacked, if it is for the sake of finding vulnerabilities for them?

  • #282406


    Legal suites and pressing charges.

    If you don’t have permission to test something, ask for permission or move on

  • #282407


    I got rewarded one or twice. Free software for finding a majorish flaw. Certificate of appreciation for finding administrator access via weak password storage at my university.

  • #282408


    Not well,be very careful.

  • #282409


    Consider from a company’s perspective. They pick up on your hacking, either through monitoring tools or you wanting to submit a bug report yourself or something.

    You could be acting in good faith or you could be truly malicious. The company simply does not and can not know, so they have to assume you’re a malicious attacker, and will have to act accordingly. Even if a company is 99% sure you don’t mean harm, they’re likely not going to risk the 1% chance you’re actually just trying to help.

    Just always go with bug bounty programs. They’re so widely used for a reason

  • #282410


    Most of of companies ignores if it is minor vulnerability if you can present it in proper way I mean bug report docs. But most of cases cold emails will nothing do much. IF bug is outside bug bounty will give you bad experiences But best for real hacker. So I will suggest stay legit with any website bug bounty program.

    Bug Bounty is great choice here is some most popular ,



  • #282411


    You will exchange your grey hat for an orange jumpsuit.

  • #282412


    I would highly recommend getting contracted as a penetration tester for any company you wish to break into. The CEO or CISO will basically give you a pass if you get caught while you test so you dont get charges pressed against you.

    Doing it willy nilly will get you into some serious legal issues.

  • #282413


    Coming from a perspective of the company that has received these….

    If we did not contract you to do this and we detect you, we file a complaint. If you are a company that is doing this. We contact our attorney. Individual? FBI.

    Don’t touch my network without permission. Period.

  • #282414


    I work in cyber security for a pretty big service industry company and we do semi-frequently do notice “attacks” that seem to be coming from vulnerability testers. If they’re not being done through our bounty program they are treated more or less like attacks, we investigate and try to make sure that person is getting blocked. I don’t remember us ever pressing charges but if we find out who you are we’ll shut down your account since you’re breaking TOS.

  • #282415


    Companies sometimes have policies around ethical hacking. No idea how they are made public, but I know our company allows ethical hackers on a few specific websites which were chosen so that there can’t be operational impact on the critical business sites.

  • #282416


    I mean you can for sure make a business out of this, but just hacking to tell them their vulnerabilities without asking them beforehand might lead to charges against you

  • #282417


    What you mean by being attacked, general scanning is not taken as helpful, but afaik if you have a specific flaw at the very least the it guys will feel very glad

  • #282418


    I feel like (and this might be an unpopular opinion) if you use software every day you should be allowed to check it’s security, if you report it and don’t use it maliciously there shouldn’t be a problem. Even if you aren’t a regular user you’re making yourself and others safer

  • #282419


    I think it really depends on the company. If it’s a large corporation and the vulnerability you find doesn’t really cause any real damage I don’t think they’d necessarily press charges but they might not care to praise you either. If it was a small company however, they might sue to make a point or make money out of the incident. I think the safest bet if you don’t have any ill intention is to only ever hack into a system with permission. After all, why would you need to be secret if you don’t intend on causing any harm?

You must be logged in to reply to this topic.