Ethical Hacking Ethics
Guidance for ethical hacking: bug bounties, pentesting, and security research.
When to Use This Skill
- Participating in bug bounty programs (HackerOne, Bugcrowd, Intigriti, YesWeHack)
- Conducting authorized penetration testing
- Performing security research on your own systems
- Evaluating legality of security testing activities
- Creating vulnerability disclosure reports
DO's - Always Do These
1. Obtain Explicit Authorization
- Get written permission before testing any system you don't own
- Verify scope - know exactly what assets are authorized
- Document authorization - keep records of written consent
- Check safe harbor status - confirm program has safe harbor policy
2. Follow Platform Rules of Engagement
- Read and understand program-specific rules before testing
- Adhere to testing timeframes specified by the program
- Use only authorized testing methods
- Report through official channels only
- Human-in-the-loop required: HackerOne requires human validation before submitting findings
3. Practice Good Faith Security Research
Access systems solely for good-faith testing, avoid harm to individuals/public, use findings to improve security.
4. Document Everything
- Keep detailed logs of all testing activities
- Capture evidence of vulnerabilities for reports
- Record timeline of discovery and reporting
- Document all communication with program owners
5. Practice Responsible Disclosure
- Report vulnerabilities promptly through official channels
- Allow reasonable time for remediation before disclosure
- Coordinate disclosure with affected organization
- Follow platform-specific disclosure guidelines
6. Respect Data Privacy
- Minimize data access to only what's necessary for testing
- Don't store or share personal data discovered during testing
- Report data exposure vulnerabilities without exploiting them
- Follow GDPR and local data protection laws
DON'Ts - Never Do These
1. Never Test Without Authorization
- Never access systems without explicit permission
- Don't assume permission - verify scope explicitly
- Never test "out of scope" assets even if you find them
- Don't exceed authorized access - stay within defined boundaries
Legal risk: CFAA (US) and CMA 1990 (UK) prohibit unauthorized access. Penalties include imprisonment.
2. Never Cause Harm
- Don't modify or destroy data during testing
- Never create backdoors or permanent access mechanisms
- Don't disrupt services or availability
- Never exfiltrate data beyond what's necessary for proof
3. Never Blackmail or Extort
- Never threaten to publish vulnerabilities for payment
- Don't use vulnerabilities for extortion
- Never demand bounties as condition for not publishing
- Result: Permanent platform ban + potential criminal charges
4. Never Disclose Prematurely
- Don't publish vulnerability details before remediation
- Never share findings with third parties without permission
- Don't post proof-of-concept code publicly without coordination
- Never disclose program existence for private programs
5. Never Use Deceptive Practices
- Don't impersonate authorized security researchers
- Never falsify vulnerability reports or evidence
- Don't misrepresent your identity or affiliation
- Never submit false reports for rewards
6. Never Violate Privacy Laws
- Don't access personal data beyond testing scope
- Never store or share PII discovered during testing
- Don't bypass privacy controls beyond what's necessary
- Follow GDPR/data protection requirements
Scope Verification Checklist
Before beginning any testing, verify:
- Authorization Document: Written permission to test?
- In-Scope Assets: All authorized targets identified?
- Out-of-Scope Assets: Know what's explicitly prohibited?
- Testing Methods: Required or prohibited techniques?
- Time Restrictions: Designated testing windows?
- Safe Harbor: Program has and honors safe harbor policies?
- Reporting Channel: Know official vulnerability submission process?
- Disclosure Policy: Understand when/how you can publish findings?
Authorization Types
| Type | Authorization | Safe Harbor | Notes |
|---|---|---|---|
| Bug Bounty | Implicit via program | If offered | Follow program rules |
| Pentest | Written contract/SOW | Per contract | May require NDA |
| VDP | Program invitation | Varies | Usually no rewards |
| CTF | Competition rules | Within boundaries | Legal only in competition |
Authorization Best Practices
- Always get it in writing - verbal authorization is insufficient
- Define scope explicitly - "everything except X" is too vague
- Specify time boundaries - testing windows and deadlines
- Include escalation procedures - what to do if issues arise
Responsible Disclosure Process
- Validate - Reproduce issue, document PoC, assess severity, check for duplicates
- Submit - Use official channels, include description + steps + impact + remediation
- Coordinate - Allow validation time, respond to questions, agree on timeline
- Verify - Confirm fix applied, test that vulnerability is remediated
- Disclose - Per agreed terms (coordinated, limited, full, or non-disclosure)
Red Lines - Violation Severity
| Severity | Violations | Consequence |
|---|---|---|
| Critical | Unauthorized access, data theft, service disruption, extortion, social engineering, physical breach | Permanent ban + legal action |
| Severe | Premature disclosure, prohibited techniques, third-party sharing, withholding details | Warnings + potential ban |
| Minor | Unintentional scope violation, incomplete reports, format issues | Education + warning |
When to Stop and Escalate
Stop Immediately If:
| Situation | Action |
|---|---|
| Outside scope | Halt, document, report, await guidance |
| Sensitive data exposure | Stop exploration, don't download, report immediately |
| Service disruption (or near) | Stop, document, report, await instructions |
| Asked to stop | Cease all activities, get written confirmation |
Escalate When:
- Legal questions - Consult legal counsel
- Disputes - Request platform mediation
- Unresponsive programs - Follow platform escalation procedures
- Criminal activity discovered - Report to authorities
- Safety concerns - Escalate if human safety at risk
Legal Framework Summary
| Jurisdiction | Law | Key Points |
|---|---|---|
| US | CFAA (18 U.S.C. § 1030) | Prohibits unauthorized access. Van Buren (2021) narrowed scope. |
| UK | CMA 1990 | No "good faith" defense. Section 1: up to 2 years. No safe harbor equivalent. |
| EU | GDPR | Legal basis required for data. Report breaches within 72 hours. |
Other jurisdictions: Canada, Australia, Germany, France, Japan have similar laws. Research local laws before international testing.
Standards Compliance
| Standard | Use Case | Reference |
|---|---|---|
| PTES | General pentesting (7 stages) | pentest-standard.org |
| OWASP WSTG | Web application testing | owasp.org/wstg |
| NIST SP 800-115 | Government/compliance testing | csrc.nist.gov |
| OSSTMM | Metrics-based security testing | isecom.org |
Platform Quick Reference
| Platform | Safe Harbor | Disclosure | Key Requirement |
|---|---|---|---|
| HackerOne | Gold Standard (GSSH) | Program-specific | Human-in-the-loop validation |
| Bugcrowd | Disclose.io framework | Coordinated/Custom/Non | Secure POC sharing |
| Intigriti | Varies | Coordinated | GDPR compliance |
| YesWeHack | Varies | Program-specific | Follow program brief |
Platform Docs: HackerOne | Bugcrowd | Intigriti | YesWeHack
Certifications Reference
| Certification | Focus | Ethics Requirement |
|---|---|---|
| OSCP | Practical exploitation | Legal boundaries, documentation |
| CEH | Theory + practical | Code of ethics required |
| GPEN | Advanced pentesting | Legal/ethical training |
| CREST/CHECK | UK government schemes | Background checks, conduct codes |
| PCI-DSS | Cardholder data environments | Qualified assessor, documentation |
References
Platforms: HackerOne Docs | Bugcrowd Docs | Disclose.io
Standards: PTES | OWASP WSTG | NIST SP 800-115
For detailed reference material, see the references/ directory.