We've previously described bug bounty programs and white hat hackers, but there’s another type of hacker that’s a shade darker. Grey hat hacking sits, predictably, somewhere between the white and black hat hackers, and occupies a grey area. But what is a grey hat hacker?

What is the difference between white, grey and black hat hackers?

The coloured-hat concept stems from a trope in old spaghetti Western films where, to make it easier for the audience to recognise the characters, the ‘good guy’ would wear a white hat, and the ‘bad guy’ would wear a black hat. Thankfully, we’ve moved on enough that we don’t need such obvious signs to tell us who’s who, but it gives a good basis for the ‘good’ and ‘bad’ when it comes to hacking.

To make it clear where a grey hat hacker falls, we need to clarify what black hat and white hat hackers do.

What is a white hat hacker?

The key behind the figurative hat a hacker wears is their intention. White hat hackers have good intentions – in this context, that means that they don’t look to exploit their findings for personal gain.

Instead, a white hat hacker will look for vulnerabilities and try to exploit them only when they have permission from the target company – who they then inform of the issue.This gives the company time to patch the vulnerability without anyone else finding out, and can save them millions.

They’re so critical in fact, that larger companies often encourage white hat hacking as a way of organically testing the security of their systems. They support this with bug bounty programmes that reward the hackers for disclosing their findings.

White hat hackers have all of the required knowledge of how they could exploit software, networks, or systems, but choose instead to work with the owner instead of against them. In fact, white hat hackers are commonly employed by companies as security experts, and can even earn an official “Certified Ethical Hacker” (CEH) certification which proves them to be effective and conscientious hackers.

What is a black hat hacker?

Again, this depends on the intentions of the hacker. A black hat hacker searches for bugs and vulnerabilities in software and systems, but almost always with more nefarious intentions.

When a black hat hacker finds a gap in a system’s security, they would choose to exploit it rather than notify the owner, and depending on the system, this exploit could have disastrous and wide-ranging consequences.

Their primary motivation is usually for personal or financial gain, such as holding data or information around vulnerabilities to ransom. They also might support a cause that their target opposes, motivating them to cause damage. They operate well outside of the law.

What is a grey hat hacker?

As logic would suggest, a grey hat hacker falls somewhere between white hat and black hat hackers. Unlike Certified Ethical Hacking, grey hat hacking is still illegal, as the hacker has not received permission from an organisation to attempt to infiltrate their systems, but the intentions of grey hat hackers aren’t as troublesome as their black hat counterparts.

Grey hat hacking is sometimes done with the intent of public interest, although quite commonly, if a grey hat identifies a flaw and points it out to a company, the company will work with the hacker to fix the exploit – often rewarding them just like they would a white hat. If a hacker is rewarded well enough for reporting a vulnerability rather than exploiting it, they are more likely to do so.

However, the difference between grey hat hackers and white hat hackers  is that if the company decides to ignore a grey hat hacker, the hacker isn’t bound by ethical hacking rules or an employment contract. They could decide instead to exploit the flaw themselves, or share the knowledge online for other hackers to take advantage of.

Do grey hat hackers get rewarded or punished?

As we’ve already said, grey hat hacking is illegal, regardless of the intention. If there isn’t permission from the target to find vulnerabilities, trying to crack a company’s security against the law. So a grey hat hacker should expect to be punished by disclosing a vulnerability to a company.

However, some companies use their bug bounty programmes to encourage grey hat hackers to report their findings, and will provide the bounty to avoid the wider risk of having the hacker use the vulnerability for their own gain. But this is relatively rare, so getting the company’s permission is the only way to guarantee that a hacker will be within the law.