If hackers want to help you, don’t reject them.
Red, White, gray, and black hats
Here is a short explanation, but be aware these are generic names inspired by old western movies!
Hackers are of all kinds, genders, and ages. Forget about the hoodie, the darkroom, and the need for recognition. Not that the cliché never happens, but remember it’s a stereotype.
Anyway, not all hackers are cybercriminals. White hats or “ethical hackers” use their skills to test and ultimately improve security for various organizations and people. For example, banks and medical services can be involved.
They use the same techniques as gray and black hats to infiltrate systems. Black hats are known for their dark intentions. I would describe gray hats as “not always ethical hackers.” Sometimes, they do illegal stuff.
If you’re a black hat, there’s no rule. Just don’t be caught. Otherwise, the sky will fall on your head.
Red hats would be unique and ultra-skilled white hackers, but they don’t abide by the law. They don’t want to put black hats in jail. They strike cybercriminals by any means possible.
White hats are not always in the best position, and here is why.
What is “illegal” anyway?
Hum, weird question, isn’t it? You’d be surprised how many ethical hackers have been sued while they only wanted to help.
It’s something I often read, and it truly makes me sad.
Yes, white hats use forbidden techniques to bypass systems' security, but they do that for a good cause. If one of them contacts you, you’re a very lucky guy because now you know.
Please don’t waste your time harassing them, as they could have used their skills to steal data from you, probably reselling them, but instead, they take the time to help.
Easy things you can do now
No matter how strong you think you are, you can be hacked.
If you run any online services, websites, web app, you can add a simple text file called
security.txt. It’s in the
.well-known folder by convention:
For example, Google does that.
Note that if you cannot create or use this folder, you can also put the file at the root of your public folder.
This file could list helpful contacts and information for ethical hackers, which can save a considerable amount of time, and you could even get a patch very fast.
When it comes to unpatched vulnerabilities, time is essential.
If you’re not sure of what you can or cannot write in this file, go to this website: securitytxt.org
They provide a generator and a step-by-step guide!
Forget your ego
Many people are better, faster, stronger than you.
Sit down, be humble.
You may be the breach, even if you have some knowledge or consider yourself a specialist.
It’s harder to protect something than to destroy it. It’s easier to spot flaws than to ensure all gates are closed.
Accept help. Don’t deny the risk. You are accountable for your customer’s data.
White hats, please calm down
You know what they say, “the road to hell is paved with good intentions”. If you’re an ethical hacker, don’t try to harass or threaten business owners.
You may believe that’s the way to get faster answers and reactions, but it’s definitely not. It can turn nasty for you in the worst-case scenario.
Those security issues are very tricky, and there’s a lot of bullshit about cybersecurity. Some people might totally freak out.
Don’t overuse your ability to sneak into systems to get jobs that do not exist yet. Don’t get me wrong, sometimes people don’t realize they are in danger, and they need you as a security expert or something similar, but nobody likes to be forced.
Use the appropriate vocabulary. Not all technical people can understand you, even developers. Explain and ask simple questions to evaluate the situation.
Last but not least, be particularly careful of the legal aspect. Do not hesitate to ask a lawyer before anything. Some companies have a shitty mindset. Besides, you may have contacted the wrong person who’s not actually in charge.
Why should I give money?
It’s not uncommon to get help for free, as ethical hackers only want to prevent harmful leaks.
However, some flaws are more difficult to spot than others, and while there is no direct correlation with the level of danger, it’s not rare that a patch saves a lot of money. Why not give only a small part to your savior?
Some companies have perfectly understood that, and they greatly reward it with huge bounties.
What if it’s a lie?
Black hats still can pretend they are white hats to get what they want. As I said, no rule.
On no account should you give credentials or personal information and access to anybody that contacts you. If you’re not sure, ask gently for basic gestures of good faith.
There are brilliant minds out there who give their time to improve security for everyone. Please don’t confuse them with criminals and script kiddies.
That’s not very respectful. Don’t turn white hats gray ^^.
Instead, enjoy the help.
Photo by Jon Tyson on Unsplash