Grey-hat hacking is a grey area.

The Electronic Frontier Foundation (EFF) offers the following on their Grey Hat Guide page:

“There are no easy answers for the ethical hacker who has wandered off the straight and narrow into the legal thicket of computer offense laws.”

They go on to say that “because the regulatory regime is complicated and non-intuitive, security researchers may have more reason to worry about legal challenges than other scientists. Potentially, a researcher may unintentionally violate the law through ignorance or misplaced enthusiasm, or an offended party can stretch or misuse the law to challenge research that casts its products or services in a negative light.”

As with any in-depth discussion on the matter, it wouldn’t be complete without the appropriate legal disclaimer:

“This is why we recommend that security researchers consult with an attorney before doing potentially risky research.”

Do you know the difference between a white-hat hacker and a grey-hat hacker.

According to the contributors on its Wikipedia page, “grey hat” refers to a “computer hacker or computer security expert who may sometimes violate laws or typical ethical standards, but does not have the malicious intent typical of a black hat hacker.”

“The white hat breaks into systems and networks at the request of their employer or with explicit permission for the purpose of determining how secure it is against hackers.”

As for grey hats, “when they discover a vulnerability, instead of telling the vendor how the exploit works, he or she may offer to repair it for a small fee.” This is known in some circles as a bounty.

Grey hat exploits can reach the top of an organization. Many were surprised when a grey hat from Palestine, using an old laptop with broken keys and a questionable battery, penetrated Mark Zuckerberg’s Facebook page with an unexpected post, as CNN reported in 2013. He had attempted to inform Facebook of the bug beforehand, but was largely ignored.

It probably wasn’t a surprise that, “because he violated Facebook’s terms of service by hacking the pages of other users,” Shreateh was not eligible for the reward offered in Facebook’s White Hat program.

“I could sell (information about the flaw) on the black (hat) hackers’ websites and I could make more money than Facebook could pay me,” he said in an interview with CNN. “But for me — I am a good guy. I don’t deal with the black (hat) stuff.” Shreateh was hoping his tip would lead to a reward from Facebook.

At the time, Facebook was unwilling to compensate the grey-hat hacker. So, security researcher Marc Maiffret launched an online gofundme campaign, which ended up yielding more than $13,000, well over the goal of $10,000. Since then, The Verge reported just last December that Shreateh has in fact been rewarded for ten other instances of uncovering vulnerabilities on the Facebook since exploiting Zuckerberg’s Wall.

However, LinkedIn wasn’t so hot on compensation when the ethical hacker uncovered yet another vulnerability on their site. LinkedIn has since replicated and addressed the vulnerability after The Verge contacted them about the story. A spokesman for LinkedIn told The Verge that “The issue had the potential to impact users only if they responded to a phishing email from an attacker and then entered their credentials. We do not believe any exploitation has occurred. We value our hard earned and well established track record of working with security researchers to protect our members.”