[throwawaygh]

> Is it common, now or historically

Historically: yes.

Now: no.

> possibly criminal

Sans some sort of formal agreement (which platforms like HackerOne might facilitate), it's definitely criminal. (IMO at least not unethical, to be clear.)

Again, sans some sort of contract either one-off or platform based. If SEGA wanted a prosecution, they would almost certainly be able to convince a prosecutor to press charges. The prosecutor would certainly get a guilty verdict. (Or, much more likely, a guilty plea with a bit of prison time and stiff probation.)

This still happens from time to time in much more ambiguous situations. E.g., https://www.nytimes.com/2021/10/15/us/missouri-st-louis-post...

Fortunately, there's a bit of a gentleman's detente among reasonable white hats and reasonable companies. But if you venture much outside of the small set of companies who rely on and have technologists in senior leadership, the story changes fast.

[floatingatoll]

That detente's boundaries may be somewhat vague and impossible to guarantee, but you can broad-brush paint yourself into a safer box with these four principles:

- Don't make humiliating changes to their content

- Don't mess with their userbase

- Don't leave undocumented backdoors

- Don't damage production

If you do your best to comply with those principles, then you can make a strong argument to a judge/jury that your behavior was without malice, which will notably improve your chances of survival if someone decides the usual detente isn't palatable.

[kingcharles]

I used to do this white hat hacking back in the day: modify a page on the web server, send a link to the admin with the exploit walkthrough.

It's a dangerous game to play now, though. You're basically betting the company you tested your PoC on would rather avoid the negative PR of filing charges against you, vs. a bunch of non-technical suits who just want to see you do 150 years in Sing Sing.