[amelius]

Yes, this is called white-hat or ethical hacking, a well-established concept even at the government level.

[ldoughty]

I was going to leave this alone, but it's important to point out this is not white hat..

This world still be black hat (or arguably grey hat)...

White hat would have been realizing the possible problem and informing the company without actually making the account (or, with only making the account or prove the link, but not taking money from anyone)

You could possibly argue that if the author "cheated himself" only, that's okay... E.g. paid themselves through patreon... Assuming the author eats the cost difference and doesn't refund.

The author actually defrauded unaware visitors, intentionally, he has caused harm to them, patreon (financially or good will/name), and the money transfer networks; this is at a minimum grey hat... Sure, the end user donating was made whole, but other business entities were harmed... Someone eats that transaction fee.

[UncleMeat]

No it isn’t. White hats are very careful to ensure that their work does not affect other people. “I gave the money back” isn’t good enough.

[amelius]

This is not always possible, however. How should the hacker have proceeded in this case?

[UncleMeat]

By stopping. If it is not possible for you to penetrate a service without causing disruption or harm to others, then you stop. You could reach out to the business and say "hey, you should consider checking this out" or asking if they offer some sort of test system for pentesters. But sometimes the result is just to not proceed at all.

[benplumley]

If he'd _needed_ to test payment (arguable), he could have created a 'real' account, deleted it, squatted his own deleted account, and sent payments to it himself.

[ganoushoreilly]

Pushing beyond the account creation step wasn't necessary. Enabling the payment functionality is where it deviated into black hat territory.