|
Greyhats and especially bug bounty programs, pen testers, etc, have explicit authorization from the owners of the systems to access their systems, and perform ethical hacking with a mutually beneficial goal, hackers get paid, and the company gets a little bit less of an attack surface. That’s not illegal What’s illegal is accessing a computer system without the authorization of the owners of the computer system. Technically speaking, port scanning the internet is illegal hacking, as you are not authorized to scan each port number on any of those machines. Ever find a random ip and give port 22 a few random tries over ssh to see if the root password is “guest”, you just committed a federal offense, because you were not authorized to access and attempt to login to that system. Is anyone going to report port scans to the fbi? Failed ssh loggin attempts? (Use a vpn/tailscale and don’t expose ssh to the internet anyway). I often wonder where “knowing” someone’s password and “hacking” their social accounts falls in this discussion. You see or hear about it all the time. “So and so hacked my page” If you have someone’s FB login info and they have no idea that you do, you may have permission to access FB, as everyone does if you accept their TOS, but you don’t have the account owner’s permission to access their account, and if FB knew it wasn’t the account owner, they would not allow that either. So if they don’t allow that, you’re likely violating their TOS, and no longer allowed to access their systems, so maybe it could technically be able to be prosecuted as illegal hacking, idk. |
It sounds to me like you're describing whitehat. Greyhat do these things without authorization, but also without malicious intent.
https://en.wikipedia.org/wiki/Grey_hat