Ethics & Boundaries¶
Let's get real about the legal and ethical side of security work
Because the grey areas multiply fast and "I didn't know" doesn't work in court
The Three Colors¶
Security folks love talking about hat colors like it's a fashion choice
It's not
- Black Hat — breaking into shit without permission for personal gain
This isn't "cool" , this is "enjoy your 10-20 years in federal prison" - White Hat — authorized testing with clear scope and contracts
This is professional security work - Grey Hat — the dangerous territory where "I was just looking" meets CFAA violations
Most people who end up in legal trouble started here
The Golden Rule¶
Get written authorization before testing anything
Not verbal , not "they said it was cool in Discord" , not "I'm pretty sure my bug bounty scope covers this"
Written authorization: * Specifies exactly what you can test * States when you can test * Defines what constitutes a valid finding * Names who authorized the testing * Includes emergency contacts
Bug Bounty Gotchas¶
Bug bounty programs are NOT a blanket license to hack
Read the scope carefully: * Some programs exclude specific subdomains * Social engineering is almost always out of scope * Physical testing is usually off-limits * Third-party services used by the target may be out of scope * Rate limiting abuse often violates terms
# Before sending a single packet , check:
# - Is this domain/subdomain in scope?
# - Are automated scanners allowed?
# - What's the response time expectation?
# - Are there any types of testing explicitly forbidden?
Responsible Disclosure Timeline¶
| Step | Timeframe |
|---|---|
| Discovery | Day 0 |
| Initial notification | Day 0-1 |
| Technical details shared | Day 1-3 |
| Vendor acknowledges | Day 3-7 |
| Remediation window | 90-120 days (industry standard) |
| Coordinated public disclosure | After fix deployed |
If the vendor ghosts you: * Send a follow-up at 30 , 60 , 90 days * Notify CERT/CISA at 90 days if no response * Publish after fix or at 120 days
Never drop 0-days without coordination
That's how people die (literally , in some cases)
Common Ethical Traps¶
"I was just proving a point"¶
No , you were accessing systems without authorization
Showing someone their security is weak doesn't make it legal to break in
"The door was open"¶
An unlocked door doesn't mean you're allowed to walk through it
This isn't a legal defense and it's pathetic to pretend it is
"Everyone does it"¶
That's not a defense that holds up in any context
If everyone on your team is violating scope , your team has a culture problem
"I found the bug by accident"¶
Doesn't matter
Accidentally stumbling into someone's house is still trespassing
The Professional Standard¶
- Transparency — tell clients exactly what you're doing
- Confidentiality — findings stay between you and the client until disclosure
- Integrity — don't inflate findings or fake evidence
- Accountability — if you break something , own it
- Competence — don't test things you don't understand yet
When Things Go Wrong¶
If you accidentally access data you shouldn't have:
- Stop immediately
- Document exactly what happened (timestamps , commands , access)
- Notify the client/point of contact
- Do NOT copy , save , or share the data
- Follow their instructions for remediation
# If you accidentally pull sensitive data during recon
# Stop the scan , save the log , and contact your POC
# Do NOT grep the output for interesting things
# Do NOT save it to your notes
This isn't about being a hero
It's about being a professional who doesn't end up in headlines for the wrong reasons
One More Thing¶
The legal landscape is constantly shifting
What was acceptable testing methodology 5 years ago might get you sued today
- Different countries have different cybercrime laws
- CFAA interpretations change with court rulings
- Bug bounty safe harbors vary by platform
- Export controls affect what crypto you can test
Stay informed , stay careful , and when in doubt — get it in writing