Where white hat hackers work alongside organisations and take part in things like bug bounty programs, there's another type of hacker that's a shade darker. Grey hat hacking sits, predictably, somewhere in between white and black hat hackers, in the nebulous grey area. But what is a grey hat hacker?

What's the difference between white, grey, and black hat hackers?

The coloured hat concept stems from a trope in old spaghetti Western films, where black and white hat symbolism was used to make it easier for audiences to recognise the characters. The 'good guy' would generally wear a white hat, whereas the 'bad guy' would wear a black hat. Thankfully, audiences no longer need such obvious signs to tell them who's who, but it does give us a good basis for the 'good' and 'bad' when it comes to hacking.

To make it clear what a grey hat hacker is and what they do, we first need to clarify the differences between white and black hat hackers.

What is a white hat hacker?

The key difference between each of the figurative hats a hacker may wear is their intention. White hat hackers, also known as ethical hackers, have good intentions. In this context, it means they work to help patch up any holes in a site or network's security, rather than exploit them for personal gain.

White hat hackers have all of the required knowledge to exploit software, networks, or systems, but choose to use their powers for good, working alongside organisations rather than against them. A white hat hacker will look for and try to exploit vulnerabilities, but only with the permission of their target. They will then inform the company of the issue and help to resolve it, potentially saving them millions.

White hat hackers are so critical to robust security, that many larger companies actively encourage white hat hacking as an organic way of testing the security of their systems. They support the work of these ethical hackers by offering bounties on bugs, rewarding them for disclosing any vulnerabilities they find. White hat hackers can even earn an official "Certified Ethical Hacker" (CEH) certification, to help them stand out as an effective, conscientious hacker.

What is a black hat hacker?

In contrast to their white hat counterparts, black hat hackers often have far more nefarious intentions. Black hat hackers search for bugs and vulnerabilities in software and systems' security, hoping to exploit them for their own ends. Regardless of their intentions however, black hat hackers are criminals who operate outside of the law.

Black hat hacking is often motivated by financial gain, such as holding sensitive data or information around vulnerabilities to ransom. They may also release malware that destroys files and data, or steals personal information such as credit card details - a common tactic used by organised crime.

If you've read about a significant data breach in the headlines recently, it's more than likely that black hat hackers were involved. This could be a phishing attack, seeking to use social engineering to exploit human psychology, the release of malicious software, or direct attacks on servers and networks.

What is a grey hat hacker?

As logic would suggest, a grey hat hacker falls somewhere between a white hat and a black hat hacker. Unlike Certified Ethical Hacking, grey hat hacking is still illegal. This is because the hacker has not received permission from the organisation to attempt to infiltrate their systems, although grey hat hackers tend not to have intentions as troublesome as their black hat counterparts.

Grey hat hacking is sometimes done in the public interest. However, quite commonly, if a grey hat identifies a flaw and points it out to a company, they will work with the hacker to fix the exploit, often rewarding them just like they would a white hat hacker. After all, if a hacker is rewarded well enough for reporting a vulnerability rather than exploiting it, they are more likely to do so.

However, the difference between a grey hat hacker and a white hat hacker is that if the company decides to ignore the advice of a grey hat hacker, the hacker isn't bound by any ethical hacking rules or an employment contract. They could decide instead to exploit the flaw themselves, or share the knowledge online for other hackers to take advantage of.

Does grey hat hacking get rewarded or punished?

As we've already said, grey hat hacking is illegal, no matter how noble their intentions may be. If you don't have permission from the target to find vulnerabilities, trying to crack a company's security is against the law. So a grey hat hacker should expect to be punished if they disclose a vulnerability to a company.

However, some companies use their bug bounty programmes to encourage grey hat hackers to report their findings, and will reward the hacker to avoid the wider risk of them using the vulnerability for their own gain. But this is relatively rare, and getting the company's permission is the only way for a grey hat hacker to guarantee that they're staying within the law.

For more expert insight, take a look at the latest from our blog.

Or, if you'd like to invest in your organisation's cybersecurity, take a look at our range of ISO 27001 certified Cloud Servers. With full root access, custom firewall policies, and server snapshots available, your data will be in safe hands.