As well as bug bounty programs and white hat hackings, there’s another type of hacker that’s a shade darker. Grey hat hacking sits, predictably, somewhere between a white and black hat hacker, and occupies a grey area. But what is a grey hat hacker?

What is the difference between white, grey, and black hat hackings?

The coloured-hat concept stems from a trope in old spaghetti Western films where, to make it easier for the audience to recognise the characters, the ‘good guy’ would wear a white hat, and the ‘bad guy’ would wear a black hat. Thankfully, we’ve moved on enough that we don’t need such obvious signs to tell us who’s who, but it gives a good basis for the ‘good’ and ‘bad’ when it comes to hacking.

To make it clear where a grey hat hacker falls, we first need to clarify what a black hat and white hat hackers does.

What is a white hat hacker?

The key behind the figurative hat a hacker wears is their intention. White hat hackers have good intentions – in this context, that means that they don’t look to exploit their findings for personal gain.

Instead, a white hat hacker will look for vulnerabilities and try to exploit them only when they have permission from the target company – who they then inform of the issue.This gives the company time to patch the vulnerability without anyone else finding out, and can save them millions.

These individuals are so critical in fact, that larger companies often encourage white hat hacking as a way of organically testing the security of their systems. They support this with bug bounty programmes that reward the hackers for disclosing their findings.

A white hat hacker has all of the required knowledge to exploit software, networks, or systems, but choose instead to work with the owner rather than against them. In fact, a white hat hacker is commonly employed by companies as security experts, and can even earn an official “Certified Ethical Hacker” (CEH) certification which proves them to be an effective and conscientious hacker.

What is a black hat hacker?

A black hat hacker searches for bugs and vulnerabilities in software and systems, but almost always has more nefarious intentions.

When a black hat hacker finds a gap in a system’s security, they often choose to exploit it rather than notify the owner. Depending on the system, this exploitation could have disastrous and wide-ranging consequences.

Black hat hacking is usually for personal or financial gain, such as holding data or information around vulnerabilities to ransom. They also might support a cause that their target opposes, motivating them to cause damage. Black hat hacking operates well outside of the law.

What is a grey hat hacker?

As logic would suggest, a grey hat hacker falls somewhere between a white hat and black hat hacker. Unlike Certified Ethical Hacking, grey hat hacking is still illegal, as the hacker has not received permission from an organisation to attempt to infiltrate their systems, but the intentions of a grey hat hacker isn’t as troublesome as their black hat counterparts.

Grey hat hacking is sometimes done with the intent of public interest. However, quite commonly, if a grey hat identifies a flaw and points it out to a company, the company will work with the hacker to fix the exploit – often rewarding them just like they would a white hat hacker. If a hacker is rewarded well enough for reporting a vulnerability rather than exploiting it, they are more likely to do so.

However, the difference between a grey hat hacker and white hat hacker is that if the company decides to ignore a grey hat hacker, the hacker isn’t bound by ethical hacking rules or an employment contract. They could decide instead to exploit the flaw themselves, or share the knowledge online for other hackers to take advantage of.

Does grey hat hacking get rewarded or punished?

As we’ve already said, grey hat hacking is illegal, regardless of the intention. If there isn’t permission from the target to find vulnerabilities, trying to crack a company’s security against the law. So a grey hat hacker should expect to be punished by disclosing a vulnerability to a company.

However, some companies use their bug bounty programmes to encourage grey hat hackers to report their findings, and will provide the bounty to avoid the wider risk of having the hacker use the vulnerability for their own gain. But this is relatively rare, and getting the company’s permission is the only way for a grey hacker to guarantee that they're staying within the law. For even more expert conversation, explore the latest over on our blog.