Guidelines for ethical hackers

Benevolent hackers, who uncover vulnerabilities in the IT systems of state-owned or multinational companies for the public good, without harmful intention or financial interest, calling attention to deficiencies potentially affecting the rights and interest of thousands, often still end up being prosecuted rather than thanked. In this guide, we would like to provide advice to ethical hackers on how to avoid being reported and prosecuted. We have provided legal representation in several criminal procedures against ethical hackers, and in our experience, you, as an ethical hacker, can do a great deal to convince the court as well as the public that you acted with good intentions. If you follow our advice, it will be easier for you at court.

There is no clear consensus on who counts as an ethical hacker. According to some, only certified ethical hackers with a relevant degree, who act on the explicit request of a client or employer may be labeled ethical—others believe that this is an unnecessarily narrow definition. In this guide we use the term “ethical hacker” to describe anyone who follows the rules set out below, regardless of their education or whether they have a contract—as doing so in itself proves that the hacking was benevolent and done in the public interest.

Advice for success in future defence:

1. Do not find vulnerabilities for your own advantage; hacking should always be done for the public interest (e.g., discovered vulnerabilities give access to personal data for unauthorized persons; a vulnerability results in the wasting of public funds, etc.). Of course, you do not necessarily have to offer to fix the vulnerability for free, but it is much harder to defend if you were solely hacking for your own financial gains and not out of concern for the public good.

2. Document precisely when and what you do. Document precisely how you found a vulnerability and why you started to look for the given vulnerability or weakness in the first place. It is best, if these motives are in the interest of the public themselves.

3. Do not try to erase your tracks! On the contrary: if you change data, document it; note every step of the changes, demonstrating that it is your conscious choice not to hide, and that you did not enter the system maliciously.

4. Forward the vulnerabilities and weaknesses you found to the competent decision makers as soon as you can. Do not condition the presentation of these vulnerabilities. Most importantly, do not blackmail the decision makers because this obviously constitutes a crime. Uncover the vulnerability in full, so that the competent professionals can begin fixing it. If you do not fully uncover the vulnerability, document why you were unable to do so, because a partial presentation may seem like blackmail.

5. Also document accurately when and how you communicated the vulnerability, and what were the reactions to it. If you meet a decision maker in person, make a memo of the meeting, and send it to the other party for approval.

6. Always show the vulnerabilities to the decision maker who is the most directly involved first. Contact the superior decision makers (such as the parent company of the affected firm) only if you were unsuccessful at the lower levels. If you do so, it is easier to prove that you were motivated by solving the problem, not by blackmail.

7. Do not hack unnecessarily! If you called a decision maker's attention to a vulnerability or weakness in a well-documented way, wait for their reaction. Just because a decision maker has contacted and may even have discussed the vulnerability with you already, do not feel entitled to continue testing their system. Only do so if you have been asked explicitly in a well-documented way. After you communicated the vulnerability, fixing it is the task of those involved; if you want to return later to continue testing or just to see whether the vulnerability has been fixed, it will be very hard to invoke the public good as an argument in your defense.

8. If you are expressly asked not to carry out further tests, then promptly discontinue any hacking activity.

9. Only turn to the public if your efforts to inform those concerned were unsuccessful, and you can verify that the vulnerability has not been fixed despite giving the competent bodies reasonable time to do so, and if the failure to fix the vulnerability presents a greater danger to the public interest than its public disclosure.

10. If you make your findings public, think about what exactly you want to share about the security risk. Do not share any procedure, information, or code that a malicious hacker could use to access the vulnerability. Try to describe the problem vaguely, in a general way, so that the public can understand the nature of the risk, but do not make it easier for anyone to abuse this information.

11. Know as little personal data as you can, do not look for them intentionally, and do not, under any circumstances, make copies of them! Do not access your acquaintances’ data, either, even if they have given you their consent. If accessing personal data is nevertheless unavoidable, only do so if you are able to prove that the person concerned has given their consent. Often the best solution is to register at the given service provider and test your own account.

12. Do not try to obtain classified information, i.e. state secrets; and especially do not share them with the public!

13. Choose wisely when deciding where to look for vulnerabilities! In the case of government bodies, if you have acted in line with our advice, you may qualify as a whistleblower, depending on the laws of your country; if your country indeed protects whistleblowers, then you cannot be held responsible for disclosing the vulnerability to the concerned entity. A similar line of argument can be applied in the case of bigger private companies too: the greater number of people benefit from your signalling your findings to the company, the more probable it is that you can invoke the public interest in your defense. The opposite is also true: hacking into the corner florist’s orders is hard to defend at court. Do as much research as possible on your rights as a whistleblower!

You have to know that unauthorised penetration testing is almost certainly a criminal offence, so if the hacked organisation reports you, you will definitely be prosecuted. However, if you comply with the above rules, it will be much easier to prove that you acted on good intentions, and that your actions were not dangerous to society—on the contrary: that ultimately they served the public interest.

Share