A grey hat is a computer security specialist who acts as a hacker in an attempt to penetrate the security of a particular system or network. This type of hacker is usually someone who is not conducting such activity in an effort to be malicious, but instead uses these attacks as research. If a flaw is found in the security of the network, then this type of hacker usually informs the owners of that network or system to instruct them about the nature of the flaw. A grey hat is not someone authorized to attempt to hack into a system, however, so his or her activities may be illegal.
The term “grey hat” stems from the use of the terms “black hat” and “white hat” within the computer security and hacker community. All three terms refer to a type of hacker, a person who uses computer programs and various methods to attempt to circumvent security of a network or computer system. A white hat is a hacker employed by a company or organization and authorized to attempt to hack into that group’s system to look for flaws or security risks. In contrast to this, a black hat hacker is someone who hacks into systems without authorization and with malicious intent.
A grey hat is a hacker who falls somewhere between these two groups. This means he or she typically hacks into systems that he or she is not authorized to access, which makes such hacking potentially illegal. If the grey hat hacker does find a security flaw or similar issue, then he or she typically notifies the company or organization about this flaw so that security can be improved. The exact way in which the hacker notifies the group, however, can vary since some companies may pursue legal action against the grey hat hacker.
This type of notification usually results in a grey hat hacker choosing within the spectrum of full disclosure and private use. Full disclosure refers to notification of the general public about a security flaw, including both potential hackers and the company that has the flaw. In contrast to this, private use would include black hat hackers who find a flaw, and then fail to notify the company about it to instead use the information for private, often malicious, purposes. A grey hat hacker typically chooses to act in a way between these two options, by notifying the organization about flaws it has, before releasing information to the general public.