Hacker Tradecraft Volume 8 — The Grey Hat: The Ambiguous Middle

Contents

Section	Topic
1	Definition and boundary
2	Origin and how the term is actually used
3	Tools of the trade
4	Methods and tradecraft — the disclosure decision point
5	A day in the life — the independent researcher
6	How they get hired — the grey-to-white conversion pathway
7	Famous figures
8	Callouts and cross-references
9	Resources

---

About this volume. Grey hat is the most contested of the three Axis-1 stances (white / grey / black per Vol 5 §6). The actor in this volume operates without authorization but without malice — the canonical “I hacked it to prove it was broken, then I told the vendor” figure. The contest is partly definitional (industry usage drifts; the L0pht-era practitioners often reject the term as patronizing; some now-mainstream careers were built on what would today be called grey-hat work) and partly legal (under the CFAA, intent doesn’t carve a hole in the statute’s “without authorization” prong; the grey-hat act has the same legal exposure as the equivalent black-hat act). This volume threads both. The technical content overlaps heavily with Vol 6 (white hat) — same tools, same techniques — but applied to targets without the Vol 6 §1 authorization stack. The historical content overlaps with Vol 3 §6 (the Phrack / LoD / MoD / L0pht era) and Vol 4 §3 (the disclosure wars). The career-pathway content overlaps with Vol 6 §6 and forward-references Vol 18 (Careers) for the synthesis treatment. Engineer-grade prose; no operational uplift; sourced from court records, primary documents, and established journalism.

---

1. Definition and boundary

The grey hat operates without authorization, but without malice. Both halves of that definition do load-bearing work, and neither half does the work alone. Without authorization distinguishes the grey-hat stance from Vol 6’s authorized professional — the grey hat has no signed SOW, no scope document, no rules of engagement, no get-out-of-jail letter. Without malice distinguishes the grey-hat stance from Vol 7’s adversary — the grey hat is not in it for financial gain, espionage, sabotage, ideology-as-destruction, or grudge. The motive that fills the gap is constructive — usually framed as “this thing was broken; I demonstrated it was broken; someone needs to fix it.” The Vol 5 §6.1 Axis-1 mapping places the three stances on a single spectrum (authorized / unauthorized-constructive / unauthorized-malicious) and grey occupies the middle position by construction.

The technical signature on the wire is, as it was in Vol 6 §3 and Vol 7 §3, often identical across all three stances. The same Nmap scan against the same target produces the same packet sequence whether the operator has a signed SOW, an opinion that the target needs fixing, or an intent to monetize the access on a darknet market. The discriminator that matters legally and ethically is not in the packets; it is in the contract artifacts (white), in the intent and post-engagement disclosure (grey), and in the monetization-and-malice (black). For this volume, the inside-the-engagement question that recurs throughout is: when the technical conduct is identical to the white-hat case, what other variables do practitioners and prosecutors actually weight?

1.1 The CFAA does not have an intent carve-out for the grey-hat case

The textbook framing of “the wrong side of the line, but not for bad reasons” is harder than it looks under U.S. federal law, and this is the load-bearing legal frame for this entire volume. The Computer Fraud and Abuse Act, 18 U.S.C. § 1030, criminalizes unauthorized access (and, in some subsections, “exceeds authorized access”) to protected computer systems¹. The statute’s operative phrase is “without authorization or exceeds authorized access” — and that phrase does not contain an intent carve-out for benevolent research. The grey-hat act, no matter how constructive the motive, is a CFAA violation when it crosses the authorization line. The intent question matters at later stages — at the prosecutor’s charging decision, at sentencing, at the court’s willingness to enforce restitution at black-hat levels — but it does not convert the act itself into a legal one.

The 2021 Supreme Court decision in Van Buren v. United States² narrowed the exceeds authorized access prong, restricting it to access of files or folders the defendant was not entitled to enter at all. The narrowing matters for some grey-hat edge cases — an employee who reads files outside their authorization, but inside the system they’re authorized to use, is now on safer ground under Van Buren. It does very little for the canonical grey-hat case where the actor has no authorization of any kind to the target system. The without authorization prong remains intact, and that’s the prong that catches the grey-hat researcher operating against a third-party target.

What actually shapes outcomes for grey-hat actors in 2026 is a three-part stack:

1. Prosecutorial discretion. The U.S. Department of Justice’s May 19, 2022 policy revision³ explicitly states that the department’s CFAA enforcement should not target “good-faith security research.” The policy defines good-faith security research with specific elements — research conducted to test, investigate, and/or correct a security flaw; carried out in a manner designed to avoid harm; and where the information derived is used primarily to promote the security of the affected systems. The policy is discretion, not immunity. The DoJ retains the statutory authority to prosecute; the policy directs prosecutors not to exercise it against good-faith researchers absent aggravating circumstances. A grey-hat actor who relies on the 2022 policy is relying on the DoJ’s continued forbearance, not on a statutory defense. Policy can change; line prosecutors can read facts differently than the policy contemplates; the actor can be wrong about whether their conduct qualifies as “good-faith.” Vol 4 §5.3 walked the 2022 policy revision at depth.
2. Civil liability. The CFAA carries a private civil cause of action at 18 U.S.C. § 1030(g) — the company whose system was accessed can sue regardless of whether the DoJ prosecutes. Civil liability is uncapped; the affected company can pursue actual damages, restitution, and injunctive relief. The civil exposure is a separate and parallel track from the criminal exposure, and the 2022 DoJ policy does not bind private plaintiffs. The grey-hat researcher who avoids criminal prosecution by virtue of the policy can still face a civil suit by the affected company, with damages calculated on the company’s actual or claimed costs (incident response time, investigative cost, reputational damage). Several historically-significant grey-hat cases were resolved at the civil-liability layer rather than the criminal layer — the Aaron Swartz / JSTOR civil settlement (2011) is the canonical example of this configuration⁴, though Swartz also faced felony CFAA charges separately.
3. State law. All fifty U.S. states have computer-crime statutes; many are broader than the federal CFAA. State prosecutors operate independently of federal DoJ policy; the 2022 federal policy revision has no binding effect on state-level prosecution. A grey-hat researcher whose conduct draws state-level attention can face prosecution under state computer-crime statutes even where federal prosecutors would decline. The state-level layer is undermapped in the practitioner literature; the working assumption should be that state-level exposure exists in parallel to the federal layer.

International equivalents track the same structural pattern. The UK’s Computer Misuse Act 1990 (§1, unauthorized access; §2, unauthorized access with intent to commit further offences; §3, unauthorized modification) does not contain a research-intent carve-out either. The UK CyberUp campaign — a multi-year coalition of UK security firms (including NCC Group, Context, F-Secure UK, and others) advocating for a statutory amendment introducing a “lawful authority” defense for good-faith security research⁵ — has not, as of early 2026, produced an amendment to the CMA. The UK grey-hat researcher’s legal exposure remains structurally similar to the U.S. case: prosecutorial discretion shapes outcomes, but the statute provides no defense.

The honest framing for this volume is therefore: good intentions are not a legal defense; only prosecutorial discretion (federal and state, U.S. and international) and post-engagement disclosure-as-mitigation actually shape outcomes. This is the load-bearing point that distinguishes the grey-hat treatment from the white-hat treatment — Vol 6’s authorization stack is the legal artifact that converts the technical work to white-hat work; the grey-hat actor has no such artifact, and the legal protection (such as it is) comes from prosecutorial choices the actor does not control.

1.2 The boundary against the white hat and the black hat

The boundaries that bracket the grey-hat region of Axis 1:

• Against the white hat (Vol 6). The discriminator is the authorization stack of Vol 6 §1 — SOW, scope document, ROE, get-out-of-jail letter. A practitioner whose engagement paperwork is properly executed is doing white-hat work; the same practitioner running the same scan against the same target without that paperwork is, in that moment, operating as a grey hat (at best). The boundary is sharp on paper and porous in practice: many grey-hat researchers transition into white-hat careers (this is §6 of this volume); many white-hat consultants do occasional after-hours research that drifts across the boundary (the canonical “I noticed something suspicious about my own bank’s website” story, multiplied by tens of thousands of practitioners). The hat-tracks-the-conduct framing of Vol 7 §1.1 applies bidirectionally: an individual’s stance is the stance of the current activity, not a permanent label.
• Against the black hat (Vol 7). The discriminator is the motive layer — financial gain, espionage, sabotage, destructive ideology, grudge — that Vol 7 §1.2 catalogued. The grey-hat researcher’s motive is constructive; the black-hat actor’s motive is in the Vol 7 §1.2 catalog. The boundary is, on paper, easier than the white-hat one — most grey-hat-to-black-hat trajectories involve a deliberate decision to monetize. In practice the boundary is contested at three edges:
  • The broker market (sell the vulnerability to ZDI, Zerodium, NSO, or an unknown buyer) — selling to a coordinated-disclosure broker (ZDI’s commercial model) is structurally white-or-grey; selling to a sovereign-customer broker (Zerodium, NSO) is contested in the practitioner literature, with arguments on both sides about whether the broker’s downstream use converts the research-and-sale into something on the black-hat side of the line. Vol 4 §3.3 walked the broker tier at depth.
  • The public-disclosure-as-coercion edge — disclosing publicly to force a vendor to fix is structurally grey-hat (constructive motive, unauthorized act); disclosing publicly with the demand “pay me or I publish” is structurally black-hat (the demand is extortion regardless of the technical content). The boundary is the demand, not the disclosure.
  • The “I hacked it to prove it” public stunt — the actor who breaks in specifically to demonstrate a flaw publicly, often without first contacting the vendor, is in a contested grey-hat / hacktivist zone. Some such actions are universally regarded as grey-hat; others (the weev / Andrew Auernheimer case in §7.4) became canonical examples of “the conduct was technically constructive but the legal system treated it as black-hat” — a configuration that is in itself an argument for the volume’s load-bearing legal callout.
• Against the hacktivist (Vol 7 §1.2.4 / §6.3). Hacktivism — Anonymous, LulzSec, some of the Lapsus$ work — overlaps with grey-hat in the unauthorized-but-not-financially-motivated sense, but typically differs in two ways: hacktivism often is destructive (the motive is political pressure through harm), and hacktivism typically discloses publicly without coordination with the vendor. The grey-hat stance is closer to “I hacked it, told the vendor, gave them time to fix, and then disclosed” than to “I hacked it and made it public to embarrass them.” The boundary is fuzzy at the edges; the Anonymous-era literature describes some operations as hacktivist (the Sony Pictures-style operations) and others as grey-hat (some of the early Project Chanology activity). The practitioner community usage of grey hat in 2026 generally excludes hacktivism; some academic literature includes it.

1.3 What “without malice” actually captures

Mirroring Vol 7 §1.2’s catalog of malicious-or-self-interested motives, the grey-hat “without malice” half captures roughly four things:

1. Constructive research motive. The most common grey-hat motive: the actor believes the target is vulnerable, demonstrates it is, and reports the finding. The reporting can be to the vendor (coordinated disclosure), to the public (full disclosure), to a researcher community (forum-and-zine disclosure of the Vol 3 §6 era), or some combination.
2. Defensive-improvement motive. A subset of the constructive case: the actor is testing their own defenses, or the defenses of a community they belong to, against the same techniques real adversaries would use. Some independent-researcher work against widely-used open-source infrastructure (where there is no formal scope or bug-bounty program but the project clearly benefits from the research) falls in this category.
3. Curiosity motive. The “I wonder if this is possible” motive — the actor’s primary interest is in understanding how the system works rather than in any specific outcome. Curiosity-motive grey-hat work is closest to the Vol 3 §6 historical hacker-ethic posture (curiosity as a virtue) and is the historical precursor to most modern grey-hat practice. Curiosity is also the motive most likely to drift across the legal line without the actor explicitly intending to — Vol 3 §8’s Mitnick case is the canonical instance of how a curiosity-motivated actor’s trajectory can land them in the federal-fugitive category.
4. Public-good motive. The actor explicitly frames the work as a contribution to security in the public interest. The Project Zero / coordinated-disclosure literature (§4.3 below) is the institutionalized version of this motive. Independent researchers operating in the public-good mode — the EFF-aligned researchers, the academic-security researchers, the canonical cypherpunk-lineage activists — often describe their work this way.

The grey-hat case is not distinguished by skill or sophistication. A high-school student running automated scanners against a randomly-selected target with no monetization intent and a vague “I’ll let them know if I find something” plan is operating in the grey-hat region of Axis 1 just as much as a senior researcher conducting a multi-month protocol analysis of a critical-infrastructure component before disclosing to CISA. The discriminator is the unauthorized-without-malice combination, not the depth of the work. This is one place the term grey hat drifts in practice — the more skilled practitioners often reject the label as too broad and prefer independent researcher; the less skilled practitioners are often described by others as “script kiddies” (a separate, derogatory term) without recognizing that the Axis-1 stance is the same. The volume retains the broad usage.

The line — load-bearing legal callout. Grey-hat conduct is unauthorized access under the CFAA and equivalent statutes regardless of the actor’s intent. The 2022 DoJ policy update (Vol 4 §5.3) provides prosecutorial discretion, not legal immunity. Civil liability is uncapped and not bound by federal-DoJ policy. State law is parallel and undermapped. International equivalents track the same structural pattern. Good intentions are not a legal defense; only prosecutorial discretion (federal and state) and post-engagement disclosure-as-mitigation actually shape outcomes. The full legal framing is in Vol 19 (the legal line and ethics) §2 (CFAA), §3 (Van Buren), §4 (international scene), §6 (good-faith research and the 2022 policy), and §7 (civil liability). This volume points at the legal frame from outside; Vol 19 is inside it.

---

2. Origin and how the term is actually used

The term grey hat (or gray hat — both spellings circulate) entered information-security vocabulary later than its black and white counterparts and through a different mechanism. Where white and black migrated into computing through 1990s trade-press writing about hacker culture broadly (Vol 5 §3), grey emerged from the full-disclosure debate of the mid-1990s through late-1990s window and became a recognizable category as the L0pht-era practitioner population became visible to mainstream media. The earliest documented uses of the term in security-trade contexts cluster around 1997–1998; by the time of L0pht’s May 19, 1998 Senate testimony⁶, the category was recognized in Wired, Computer Security Journal, and the broader trade press, even though the practitioners involved generally did not (and largely still do not) use the term to describe themselves.

2.1 The L0pht as the inflection point

The L0pht — full name L0pht Heavy Industries, founded approximately 1992 in Boston as a shared hacker workspace by Brian Oblivion, Count Zero, and several others, expanding through the early-1990s to a stable membership cohort — is the canonical “grey-hat collective” institution. Vol 3 §6.5 and Vol 5 §5.3 walked the L0pht historical material. The brief recap for this volume:

• L0pht operated as a research workspace where the membership conducted vulnerability research against commercial software and disclosed it through advisories, Phrack articles, and (later) the L0pht’s own published Security Advisories. The disclosure practice was often full disclosure — publication of the technical detail at the same time as (or sometimes before) notification to the vendor. The practice was deliberately confrontational toward vendors whose security posture was (in L0pht’s assessment) inadequate.
• The May 19, 1998 Senate testimony before the U.S. Senate Committee on Governmental Affairs (the hearing was titled “Weak Computer Security in Government: Is the Public at Risk?”) was the moment grey-hat-as-category became institutionally visible. The canonical seven testifiers, each appearing under their L0pht handle: Brian Oblivion, Kingpin (Joe Grand), Mudge (Peiter Zatko), Space Rogue (Cris Thomas), Stefan Von Neumann, John Tan, and Weld Pond (Chris Wysopal)⁶. The testimony’s most-cited line — that the group could “take down the Internet in 30 minutes” using publicly-known BGP vulnerabilities — was the press-friendly summary; the substantive content was a structural critique of the way commercial software vendors handled (or failed to handle) vulnerability research and disclosure.
• L0pht’s commercialization came in early 2000, when the collective merged with @stake, a Boston security-consulting firm. The @stake / L0pht entity continued as one of the canonical first-generation pentest consultancies until Symantec’s 2004 acquisition (covered in Vol 4 §2.2). Several L0pht alumni — most famously Mudge, who joined DARPA in 2010 and subsequently DARPA → Google → Stripe → Twitter (Head of Security, 2020–2022) → CISA (2024) — built mainstream careers from the grey-hat-era foundation.

The L0pht-as-grey-hat-inflection framing matters because it captures the structural transition the term itself marks: in 1996, the population of practitioners doing unauthorized-but-constructive research was a counterculture; by 2000, that population was the institutional core of a professionalizing consulting industry. The grey-to-white pathway that §6 treats as a 2026 career mode is, historically, the L0pht-to-@stake pathway writ large.

2.2 The full-disclosure debate as the term’s birth context

The other context in which grey hat emerged was the full-disclosure-versus-responsible-disclosure debate that ran from the late 1980s through the 2000s. Vol 4 §3 walked the debate’s history at depth; the relevant points for this volume:

• Bugtraq (Scott Chasin, founded 1993; subsequently Aleph One / Elias Levy; later acquired by SecurityFocus) was the canonical full-disclosure mailing list. Researchers posted vulnerability details to Bugtraq, often with working proof-of-concept code, on the theory that public visibility forced vendors to patch. The full-disclosure norm was the dominant mode through the mid-1990s.
• Scott Culp’s 2001 essay “It’s Time to End Information Anarchy” (Microsoft Security Response Center, October 17, 2001)⁷ was the canonical vendor-side argument for what Culp called “responsible disclosure” — researchers privately notify vendors and give them time to patch before publishing. The essay catalyzed a multi-year debate; the responsible-disclosure norm gained ground in the mid-2000s.
• Google Project Zero (announced July 15, 2014 by Chris Evans on the Google Security Blog; original team included Tavis Ormandy, Ben Hawkes, George Hotz briefly, Ian Beer, Matt Tait, and others)⁸ formalized the 90-day coordinated-disclosure window — the structural innovation that has, in 2026, become the modal industry norm. Project Zero publishes vulnerability detail 90 days after vendor notification regardless of patch status, with a 14-day grace period if a patch is imminent⁹. The policy applies uniformly, including to Google’s own products.

The grey-hat category lives inside this debate. A researcher operating under full-disclosure norms is doing grey-hat work in the strict sense even when the research was constructively motivated — the disclosure of working proof-of-concept code without vendor coordination produces real-world risk in the patch window between disclosure and vendor remediation. A researcher operating under coordinated-disclosure norms is doing closer-to-white-hat work — but only if the underlying research itself was authorized; the disclosure protocol does not cure an unauthorized-access problem. The 90-day Project Zero norm is widely regarded as the current canonical industry standard, but it is a norm for how to disclose, not a defense for whether the research was authorized in the first place.

2.3 Industry usage versus the practitioner self-description

Where industry usage of grey hat diverges from the practitioners themselves is the dominant pattern in 2026:

• The press and the academic literature use grey hat freely to describe unauthorized-but-constructive researchers. The term is the convenient shorthand for the third position on Axis 1.
• The practitioner community largely does not use the term to self-describe. Working independent researchers in 2026 typically describe themselves as “independent researcher,” “vulnerability researcher,” “bug-bounty researcher,” “security researcher,” or with their handle. The term grey hat is often perceived as patronizing — implying a kind of fence-sitting that the practitioner doesn’t see in their own work. Mudge has been quoted in multiple interviews rejecting the term¹⁰; many of the L0pht-era figures express similar views. The community-internal vocabulary describes the same population without the grey label.
• “Independent researcher” is the modal self-description in 2026, with substantial drift toward “bug-bounty researcher” since approximately 2015 as the bug-bounty institutional infrastructure (Vol 4 §5; §6 of this volume) has matured.
• “Vulnerability researcher” or “security researcher” is the broader category that includes both authorized-by-employer researchers (Project Zero is the canonical example; the team is employed-and-authorized but the disclosure practice creates pressure that the practitioner community sometimes calls “grey-aligned”) and unauthorized independent researchers.

Term	Stance	Practitioner usage	Press usage
Grey hat	Unauthorized, constructive	Largely rejected; perceived as patronizing	Common shorthand
Independent researcher	Unauthorized or unaffiliated; constructive	Modal self-description	Used when grey hat seems too charged
Bug-bounty researcher	Authorized by program scope; constructive	Rising since ~2015	Common where the program is identified
Vulnerability researcher	Broad — authorized or unauthorized	Common; broad	Common; broad
Security researcher	Broadest — includes academic, defensive, etc.	Very common	Most common single label
”Hacker” (unmodified)	Ambiguous — older self-description	Sometimes used reclaim-style	Confusing; usually clarified by context
”White-hat researcher”	Implies authorization	Used to distinguish from grey when context demands	Sometimes
”Researcher” (unmodified)	Implies academic or industry research	Common in DEF CON / Black Hat contexts	Less common

Table 8.1 — Grey-hat-related vocabulary in 2026. The community-internal label and the press label often diverge; the volume retains grey hat as the Axis-1 stance label while acknowledging that practitioners rarely use it for themselves. The two columns capture the dominant pattern; there are individual practitioners who do use grey hat self-descriptively and individual press outlets that avoid the term.

2.4 The term has gotten fuzzier, not sharper

A second-order observation worth flagging: the grey hat category was sharper in 1998 than it is in 2026. The L0pht-era practitioners operated in a world without bug-bounty programs, without coordinated-disclosure norms, without the DoJ 2022 policy — the only available pathway for vulnerability research was the unauthorized-then-disclose model that the term grey hat most cleanly describes. By 2026, the institutional infrastructure has thickened substantially:

• Bug-bounty programs (HackerOne, Bugcrowd, Synack, Intigriti, YesWeHack, and the company-direct programs) convert a substantial fraction of what would have been grey-hat work in 1998 into white-hat work under program scope and safe-harbor language (Vol 4 §5; §6 of this volume).
• Coordinated Vulnerability Disclosure (CVD) policies published by vendors (the CERT/CC coordinated-disclosure framework; ISO/IEC 29147; the broader CVD-as-policy movement) create authorization envelopes for researchers operating outside formal bug-bounty programs.
• The 2022 DoJ policy provides prosecutorial discretion for good-faith research — partial legal cover that did not exist for L0pht in 1998.
• The CFAA case law has, through Van Buren and the post-2022 charging pattern, narrowed in some places (the exceeds authorized access prong) even as it remains expansive in others (the without authorization prong).

The result is that the grey-hat category in 2026 is shrunken at the edges. Much research that would have been grey-hat in 1998 is now white-hat through bug-bounty scope. Some research that would have been grey-hat is now closer to authorized-by-CVD-policy. The residual grey-hat category — research that proceeds without authorization of any kind, against targets without bug-bounty or CVD coverage, conducted for constructive motives — has gotten smaller but has not gone away. The §5 day-in-the-life narratives in this volume describe operators inside the residual category; the §6 career-pathway section describes the conversion from residual grey-hat work to bug-bounty-coverage white-hat work.

---

3. Tools of the trade

The grey-hat toolchain is, structurally, the same toolchain as Vol 6 §3 — the white-hat toolchain — applied to targets without the Vol 6 §1 authorization stack. This section does not re-derive the Vol 6 tool inventory; instead, it identifies the grey-hat-specific pattern of which tools come out of the kit and in what posture, flags the legal hazard at the category level for each, and tracks the RF parallel where the grey-hat use case has its own historical texture. The section closes with a callout that captures the load-bearing observation: the technical content is identical to authorized work; the legal exposure is identical to malicious work; the discriminating variable is intent and post-engagement disclosure — and neither of those is a legal defense.

A grounding clarification carried over from Vol 6 §3 and Vol 7 §3: the same hardware and the same software are used across all three Axis-1 stances. The HackRF One that a wireless pentester uses under SOW is the same HackRF the grey-hat RF researcher uses against a target without authorization is the same HackRF the criminal car thief uses to defeat a rolling-code remote. The Burp Suite that runs in Sarah’s (Vol 6 §5.1) consultancy engagement is the same Burp Suite Emily (Vol 6 §5.3) runs in her bug-bounty session is the same Burp Suite a grey-hat researcher runs against a SaaS provider with no bug-bounty program. The discriminator is authorization, not gear. Vol 5’s master taxonomy diagram makes the structural point; this section traces the implication on the grey-hat side.

3.1 The pentest stack applied outside a sanctioned scope

The bulk of grey-hat work, technically, is the Vol 6 §3 pentest stack applied to targets the actor does not have authorization to test. The stack inventory:

• Nmap for network discovery and host enumeration. A grey-hat scan of an organization’s public IP space produces the same scan signature as a white-hat scan; the legal hazard is that port scanning itself has been treated inconsistently by courts. The 2000 Moulton v. VC3 case in the Northern District of Georgia held that an unauthorized port scan was not, by itself, a CFAA violation under the then-current statute — but the case is twenty-six years old, has not been broadly cited as protective precedent since, and predates substantial amendments to the CFAA. The 2026 working assumption among practitioners is that port scanning of a system the operator does not own can be charged as unauthorized access depending on the prosecutor and the surrounding context; the Moulton holding does not protect against the prosecutorial decision to charge.
• Burp Suite, OWASP ZAP for web-application probing. A grey-hat researcher inspecting a SaaS provider’s authentication flow without program coverage is doing the same technical work as Vol 6 §5.3’s Emily — minus the program scope and the safe-harbor language. The legal hazard is that web-application probing typically does cross the “without authorization” line under any reasonable reading of the CFAA — the researcher is sending requests to authenticated endpoints, attempting parameter manipulation, and observing responses that the application’s owner has not authorized them to observe.
• Metasploit Framework, Sliver, the C2 platforms for exploitation and post-exploitation. The grey-hat use case for the exploitation tier is the most legally hazardous — confirming a vulnerability by exploiting it (the “I broke in to prove it was broken” model) takes the actor across the “exceeds authorized access” line that even the Van Buren narrowing leaves intact, and into the territory where the post-exploitation activity (file listing, capability demonstration, screenshot of an admin prompt) reads to a prosecutor as the full intrusion regardless of the actor’s plan to disclose.
• BloodHound, Mimikatz, the AD tooling. If the grey-hat researcher has gained internal-network access at any depth, the AD-graph and credential-extraction tooling presents both the technical opportunity (deeper understanding of the target) and the deepest legal hazard (Mimikatz output is the canonical post-exploitation artifact; running it without authorization is the canonical CFAA charge).
• OSINT tooling — Amass, theHarvester, Shodan, Maltego, SpiderFoot. This tier is the safest — passive collection from public sources is, in most jurisdictions, legal. The grey-hat OSINT phase often produces the bulk of useful intelligence without crossing the authorization line; many independent researchers maximize this tier and minimize the active-probing tier specifically for legal-hazard-management reasons.

3.2 The RF parallel

The RF tradecraft tier carries its own characteristic grey-hat history. Foundational research on sub-GHz protocols, RFID/NFC, garage-door openers, car key fobs, wireless sensors, and the broader consumer-RF ecosystem was disproportionately done by independent researchers operating without manufacturer authorization, then disclosed at conferences (DEF CON, Chaos Communication Congress, RECon) or in papers (USENIX Security, NDSS, ACSAC). The grey-hat RF-research lineage is the foundational research literature for almost everything in Vol 13 (SDR and sub-GHz), Vol 14 (Wi-Fi and BLE), and Vol 15 (RFID, NFC, and access control).

The legal hazard varies sharply by category:

• Passive RF reception (listen, demodulate, decode public traffic) is, in most jurisdictions for most bands, legal. The U.S. Wiretap Act (18 U.S.C. § 2511) does not prohibit reception of radio broadcasts generally; the Communications Act of 1934 (47 U.S.C. § 605) restricts divulgence of intercepted communications but not the bare reception of them, and the FCC’s interpretation has historically tolerated receive-only research. The European RTTE Directive and equivalents in other jurisdictions are similar in spirit if not in detail. Passive monitoring of an organization’s RF emissions — listening to their unencrypted wireless protocols, decoding their badge-reader broadcasts, observing their unencrypted IoT-sensor traffic — is often legal at the bare-reception layer.
• Active RF probing (transmit signals to elicit responses; replay captured signals; jam) is much more legally hazardous. The U.S. CFAA does not have a clean overlap with RF — the statute covers protected computer systems, and many RF-protocol attacks target devices that aren’t obviously “protected computers” in the CFAA’s sense — but the Communications Act (47 U.S.C. § 333) prohibits willful interference with radio communications, and most jurisdictions have wiretap-statute equivalents that the active-replay attack potentially implicates. The grey-hat RF researcher who transmits an unauthorized replay against a target’s access-control reader (to demonstrate that the badge cryptosystem is broken) is in considerably more legal hazard than the same researcher passively recording the access-control protocol.
• Wi-Fi probing (active scanning of networks the researcher doesn’t own; probing for SSIDs; capturing handshakes) is in a particularly hazardous middle ground. The 2010 Google Wi-Fi data collection incident and the subsequent state-AG investigations established that even Wi-Fi packet capture from open networks could be treated as wiretap-statute violation in some U.S. states (the 2010 Wisconsin and Connecticut investigations were particularly aggressive); the legal exposure is genuinely undermapped, and the modern grey-hat Wi-Fi researcher operates with substantial uncertainty about the exact legal line. The defensive treatment in Vol 14 will treat the protocol layer; the legal layer will be in Vol 19 §4.5.
• RFID/NFC cloning of credentials the researcher does not own is structurally similar to badge-cloning under physical-engagement scoping (Vol 6 §3.7) — the technique is the same; the authorization layer is missing. The grey-hat “is this badge cryptographically clonable?” demonstration is the canonical conference talk pattern (DEF CON’s RFID Hacking Village runs an annual cluster of such talks); the legal hazard is that the demonstration’s predicate often involves the researcher cloning a real credential from a willing participant (whose authority to consent to the cloning is sometimes unclear).

3.3 The substantive tools table

Category	Tool family	Legal hazard	Typical grey-hat use	Forward-ref
Network discovery	Nmap, Masscan, Rustscan, ZMap	Moderate — port scanning is contested precedent; the conservative reading is that unauthorized scans can be charged as CFAA	Reconnaissance of public-internet infrastructure to identify potentially-vulnerable services	Vol 6 §3.1; Vol 16 §3 when authored
Web-application probing	Burp Suite, OWASP ZAP, Nuclei, ffuf, subdomain enum	High — sending crafted requests to an application the researcher doesn’t own crosses the “without authorization” line on most readings	Probing SaaS providers’ authentication flows; subdomain enumeration; parameter manipulation	Vol 6 §3.2
Exploitation frameworks	Metasploit, Sliver, Mythic, Empire/Starkiller	Very high — confirming a vulnerability by exploiting it is the canonical CFAA-charged conduct	”Proving it’s broken” by establishing initial access	Vol 6 §3.3
AD and credential extraction	BloodHound, Mimikatz, Impacket, SharpHound	Very high — Mimikatz output is canonical post-exploitation evidence; LSASS access is unambiguous unauthorized access	Demonstration of internal-AD attack paths (rare in grey-hat work; usually only after some prior access exists)	Vol 6 §3.4; Vol 16 §7 when authored
OSINT	Amass, theHarvester, Shodan, Censys, Maltego, SpiderFoot	Low — passive public-source collection is legal in most jurisdictions	Subdomain enumeration, exposed-asset discovery, personnel mapping, repo enumeration	Vol 6 §3.5; Vol 17 §2 when authored
SDR — passive reception	HackRF One, RTL-SDR, PortaRF, GNU Radio	Low (most jurisdictions, most bands) — receive-only research is generally legal	Protocol analysis of public RF traffic; consumer-RF reverse engineering	Vol 13 when authored
SDR — active transmit	Same hardware; transmit mode	Moderate-to-high — depends on band, target, and Communications Act §333 interference framing	Replay-attack demonstration; protocol-response probing	Vol 13; HackRF One deep dive
Wi-Fi probing	WiFi Pineapple, Marauder, aircrack-ng, hashcat (for offline cracking)	High — wiretap-statute exposure varies by jurisdiction; the 2010 Google Wi-Fi precedent is undermapped	Network-survey, handshake-capture, rogue-AP testing of public infrastructure	Vol 14 when authored; WiFi Pineapple deep dive §1 flags this as posture-sensitive
RFID / NFC	Flipper Zero, Proxmark3 RDV4, ChameleonMini	Moderate — credential cloning where the researcher doesn’t own the credential implicates state-level access-control statutes	”Is this badge clonable?” demonstrations; protocol analysis	Vol 15 when authored
HID injection	USB Rubber Ducky / Bash Bunny / O.MG Cable / Key Croc	Very high (when deployed) — the “found USB” attack family is canonical CFAA-charged conduct	Rare in pure grey-hat work; more common in physical-access edge cases	Ducky Script deep dive; Vol 16 when authored

Table 8.2 — The grey-hat toolchain working-set, organized by category, with the legal-hazard column the dominant variable. None of these tools is grey-hat-specific — the entire inventory is the same inventory as Vol 6 §3 Table 6.2; the discriminator is authorization, not gear. The legal-hazard column reflects 2026 U.S. federal practice as a baseline; state law and international equivalents add parallel exposure that is undermapped in the practitioner literature.

3.4 The load-bearing structural observation

Technical = authorized; legal = malicious; intent is the discriminator that doesn’t legally protect. The technical content of a grey-hat engagement is identical to the technical content of Vol 6’s authorized work — the same Nmap invocations, the same Burp Suite sessions, the same HackRF captures, the same Pineapple deployments. The legal exposure of a grey-hat engagement is identical to the legal exposure of Vol 7’s malicious work — the same CFAA “without authorization” elements, the same potential wire-fraud and aggravated-identity-theft stacking, the same civil liability. The distinguishing variable between grey-hat and black-hat work is intent and post-engagement disclosure; neither of those variables is a legal defense. Only prosecutorial discretion and the disclosure-as-mitigation lens at sentencing actually shape outcomes. This is the load-bearing structural observation that makes the rest of this volume — the disclosure decision point of §4, the bug-bounty conversion pathway of §6, the famous-figures cautionary cases of §7 — make sense.

---

4. Methods and tradecraft — the disclosure decision point

The grey-hat research workflow is, technically, the Vol 6 §4 lifecycle (recon → vuln assessment → exploit → post-exploit → cleanup) minus the pre-engagement authorization stack (no SOW, no scope, no ROE, no GOJL) and plus a critical post-research decision the white-hat lifecycle doesn’t face: what to do with the finding. The disclosure decision point — the moment after a vulnerability has been identified and (often) confirmed by exploit, when the researcher must decide between coordinated disclosure, full disclosure, sale to a broker, or sitting on the finding — is the structural feature that most clearly distinguishes grey-hat methodology from white-hat methodology. A white-hat engagement’s deliverable is a report to the client; a grey-hat researcher’s deliverable is a decision about whom to tell, when, and how.

This section walks the disclosure decision point at depth, with the four canonical options, the legal-and-ethical-and-reputational consequences of each, and the coordinated-disclosure framework as the canonical grey-to-white reconciliation. The technical lifecycle itself is treated briefly first.

4.1 The unsanctioned-research workflow

The grey-hat research workflow is the Vol 6 §4 lifecycle’s middle phases applied without the bracketing authorization phases. The map:

                  NO PRE-ENGAGEMENT                                  RESEARCH (UNSANCTIONED)                            DISCLOSURE DECISION POINT
   ┌──────────────────────────────────────────┐  ┌──────────────────────────────────────────────────────────┐  ┌─────────────────────────────────────────┐
   │  no SOW                                  │  │  TARGETING ─► RECONNAISSANCE (passive heavy) ─► VULN     │  │  COORDINATED        FULL              │
   │  no scope document                       │  │   (interest- (OSINT, Shodan,    ASSESSMENT (does it      │  │  DISCLOSURE         DISCLOSURE         │
   │  no ROE                                  │  │    driven)    Wayback, public-  even seem broken?)        │  │  ──────────         ──────────         │
   │  no get-out-of-jail letter               │  │               source recon)                              │  │  (vendor first,     (public first,     │
   │                                          │  │                                ▼                          │  │  patch then        no embargo)         │
   │  the actor's legal-hazard envelope       │  │   (NO BROAD ACTIVE             EXPLOIT (CONFIRM)          │  │  publish)                              │
   │  is open                                 │  │   SCANNING — narrowed         (the legally hazardous     │  │                                        │
   │                                          │  │   to the specific target)     phase)                     │  │                                        │
   │                                          │  │                                ▼                          │  │  SELL              SIT                │
   │                                          │  │                          DOCUMENT FINDING                 │  │  ──────────        ──────────         │
   │                                          │  │                                                          │  │  (broker market,    (do nothing       │
   │                                          │  │                                ▼                          │  │  posture-sensitive) hope/forget)      │
   │                                          │  │                          DISCLOSURE DECISION             │  │                                        │
   │                                          │  │                          (this volume's §4)              │  │                                        │
   └──────────────────────────────────────────┘  └──────────────────────────────────────────────────────────┘  └─────────────────────────────────────────┘

Figure 8.1 — The grey-hat research workflow. The pre-engagement phase is structurally empty (no authorization paperwork; the legal envelope is open from the start). The research phase is the Vol 6 §4 middle phases (targeting → recon → vuln assessment → exploit → document) compressed and applied unilaterally. The post-research disclosure decision is the structural feature of grey-hat methodology that doesn’t appear in the white-hat lifecycle — the four canonical paths (coordinated, full, sell, sit) are §4.2’s subject.

The discipline differences from the Vol 6 §4 authorized lifecycle worth flagging:

• Targeting is interest-driven, not contract-driven. The white-hat consultant targets what’s in their scope document; the grey-hat researcher targets what they’re curious about or what they think is broken. The targeting decision is itself part of the grey-hat methodology and has legal consequences (a researcher targeting critical-infrastructure systems faces different prosecution-risk math than one targeting a consumer-software SaaS).
• The reconnaissance phase is passive-heavy. Mature grey-hat researchers maximize the OSINT tier and minimize the active-probing tier — both for stealth and for legal-hazard management. The passive phase often produces sufficient evidence of vulnerability to make the active-confirmation phase optional or, at most, narrow.
• The exploit phase is the legally hazardous one. The “does it actually work?” confirmation is where the researcher most clearly crosses the CFAA line. Some grey-hat researchers deliberately stop at vulnerability identification without confirmation; others argue that an unconfirmed vulnerability report is too easy for a vendor to dismiss and that confirmation is operationally necessary. The decision is a personal risk-calibration; the law treats them identically.
• There is no cleanup phase in the Vol 6 §4.7 sense. The grey-hat researcher doesn’t have the authorization-envelope-expires-at-engagement-close framing; the residual access (if any) was unauthorized in the first place. Mature grey-hat researchers minimize residual artifacts both for operational reasons (don’t leave a trail) and ethical reasons (don’t create access another adversary could use).
• Documentation is for the disclosure target, not for a contracted client. The grey-hat researcher writes the finding for the eventual recipient — the vendor’s security team, the CERT/CC coordinator, the public-disclosure audience, or the broker. The audience-specific framing shapes the documentation: a coordinated-disclosure submission to a vendor reads like a white-hat finding; a full-disclosure post reads like a security-advisory; a broker submission reads like a sales document.

4.2 The disclosure decision point — the four options

After the research is documented, the grey-hat researcher faces a four-way decision. Each option has legal, ethical, reputational, and outcome consequences. The four options:

Option A — Coordinated disclosure. Notify the vendor privately, give them time to patch, then disclose publicly after the patch (or after a fixed deadline regardless of patch). This is the canonical grey-to-white reconciliation pathway. The 90-day Project Zero norm⁹ is the current industry-modal version; the 45/30/30-day staged timelines of various other frameworks are alternatives. The CERT/CC coordinated-disclosure framework¹¹ is the canonical multi-stakeholder version when the vulnerability affects multiple vendors. The Bugtraq → responsible disclosure → coordinated disclosure arc that Vol 4 §3 walked is the historical context for the modern norm.

The legal exposure of coordinated disclosure is the same as the underlying research exposure — disclosing to the vendor does not cure the unauthorized-access act that produced the finding. What coordinated disclosure changes is prosecutorial discretion (the DoJ 2022 policy framework specifically favors good-faith research with constructive disclosure³) and civil-litigation posture (a vendor whose finding was responsibly disclosed is much less likely to pursue civil action than one who was publicly embarrassed). The pathway is the lowest-legal-hazard of the four options without being legally safe.

Option B — Full disclosure. Publish the technical detail and (often) working proof-of-concept code publicly, either with no prior vendor notification or with simultaneous notification. The historical full-disclosure norm of the Vol 4 §3.1 Bugtraq era; less common in 2026 but not absent — some researchers explicitly argue that full disclosure produces faster patches and more honest vendor responses than coordinated disclosure does, and some categories of vulnerability (those affecting end-of-life products without a vendor patch path) are essentially impossible to disclose coordinated.

The legal exposure of full disclosure is higher than coordinated disclosure in two ways: the vendor is more likely to pursue civil action (because the public-disclosure surprise caused them concrete harm), and the prosecutor’s reading of “good-faith research” is harder to defend (the conduct-during-research was the same, but the disclosure-conduct is structurally less cooperative). The 2022 DoJ policy framing of “good-faith research” arguably includes full disclosure as a valid mode if the researcher made reasonable effort to coordinate first and the vendor was unresponsive; the framing is contested and the researcher relies on the prosecutor’s interpretation.

Option C — Sale to a broker. Sell the finding to a coordinated-disclosure broker (ZDI, occasional academic-source bounty programs) or to a sovereign-customer broker (Zerodium, NSO Group, occasionally smaller brokers like Crowdfense)¹². The broker market’s structure was treated at depth in Vol 4 §3.3; the relevant points for this volume:

• Selling to ZDI is structurally similar to coordinated disclosure with a commercial intermediary. ZDI pays the researcher, takes responsibility for vendor coordination, and uses the intelligence to feed customer signatures and the Pwn2Own contest. The pathway is closer to white-hat than to black-hat; the legal exposure is similar to direct coordinated disclosure.
• Selling to a sovereign-customer broker (Zerodium, NSO, Crowdfense) is contested in the practitioner literature. The broker pays substantially more than ZDI (the Zerodium price list documents $2.5M for a full-chain Android remote-code-execution exploit with no user interaction¹²; the iOS equivalent is $2M; Crowdfense’s prices are similar) but the downstream use of the exploit is opaque — the broker’s customers are typically state intelligence services, and the exploits often end up deployed against specific targets without notification to the affected vendor. The “is this still grey-hat or has it become black-hat?” question is contested at the broker-tier; the practitioner-community consensus (as of 2026) is that the sale itself is technically grey-hat (no act of intrusion by the seller after the research) but that the act of selling to a sovereign-customer broker is morally adjacent to participation in the downstream harm. The Bekrar / Zerodium 2015 founding (after Bekrar left VUPEN, where the 2012 Pwn2Own incident — covered in Vol 4 §3.3 — established the broker-vs-coordinated-disclosure tension) is the canonical recent inflection point.
• The legal exposure of selling is more complex than the other options. The underlying research’s CFAA exposure persists; the sale itself is generally legal in the U.S. and most jurisdictions, but the broker-customer relationship can create downstream exposure if the buyer’s use violates other laws (sanctions evasion is the recurring concern). The 2018 Saudi-government use of NSO Pegasus against Jamal Khashoggi (and the subsequent civil litigation; multiple Pegasus-related cases continue in 2026) is the canonical example of downstream-harm exposure that traces back to broker-tier vulnerability sales.

Option D — Sit on the finding. Do nothing — file the finding in a personal notebook, forget it, hope someone else discovers and fixes it, or wait for a different context (e.g., the researcher later joins a company that has a bug-bounty relationship with the vendor). The “sit on it” option is the most-common-and-least-discussed grey-hat outcome; many independent researchers accumulate findings they never disclose because the disclosure pathway is too uncertain or the legal exposure too high. The option is not legally safer than the other options — the research itself was unauthorized, and the residual personal notes are evidence of the conduct — but it minimizes the visibility of the conduct, which is a different variable.

The ethical posture of the sit-on-it option is contested. One argument: the researcher’s choice to not disclose means the vulnerability remains exploitable by other adversaries (who may discover it independently); the public-safety case favors disclosure. Counter-argument: the researcher’s exposure to the legal-and-civil hazard is real; the “good Samaritan” framing breaks down when the cost of doing the good thing is unbounded. The literature on this question is unsettled.

Path	Legal exposure	Ethical posture	Vendor cooperation	Researcher outcome	Notable example
Coordinated disclosure	Same as underlying research; mitigated by DoJ 2022 policy; civil exposure reduced	Canonical “good-faith research” framing	Highest	Reputation gain; CVE assignment; sometimes a bounty if program is established post-hoc	Charlie Miller / Chris Valasek Jeep Cherokee 2015 (Vol 6 §7.4 white-hat-side; vendor coordination produced the recall)
Full disclosure	Same as underlying research; higher civil exposure than coordinated; “good-faith research” defense harder	Constructive but confrontational; argued necessary for unresponsive vendors	Lower; the vendor often regards the disclosure as adversarial	Reputation in the full-disclosure-aligned community; possible civil litigation; CVE assignment if accepted	Bugtraq-era publications generally; many Vol 3 §6 Phrack articles
Sale to coordinated broker (ZDI)	Same as underlying research; mitigated similarly to coordinated disclosure	Constructive; commercial intermediary	Brokerage; vendor sees disclosure through broker	Cash payment; reputation in the broker’s circle; vendor coordination handled by broker	Pwn2Own competition; ZDI ongoing research-purchase program
Sale to sovereign-customer broker (Zerodium, NSO, Crowdfense)	Same as underlying research; downstream exposure depending on buyer’s use	Contested; the practitioner community is divided	None; the vulnerability is typically not disclosed to the vendor	Substantial cash; reputation in the broker’s circle; downstream-harm exposure if the buyer’s use becomes public	Zerodium’s public price list; NSO Pegasus / Khashoggi (2018 and subsequent)
Sit on it	Same as underlying research; visibility minimized but not eliminated	Contested; the public-safety case favors disclosure	None	No outcome; the finding accumulates in the researcher’s personal notes	Largely undocumented; per the literature, the modal “long-tail” disclosure outcome

Table 8.3 — The four disclosure paths at the grey-hat decision point, with legal/ethical/cooperation/outcome consequences and a notable example for each. The “legal exposure” column captures U.S. federal-CFAA exposure as a baseline; state law and international equivalents add parallel exposure. The “ethical posture” column captures the dominant 2026 practitioner-community view; the contested cases are noted. The “vendor cooperation” column captures whether the vendor learns about the vulnerability through the disclosure pathway; the “researcher outcome” column captures what the researcher typically gets from each path.

4.3 The coordinated-disclosure framework as the canonical grey-to-white reconciliation

The coordinated-disclosure framework — coordinated between researcher and vendor, sometimes mediated by a third-party coordinator (CERT/CC most prominently) — is the structural innovation that has, since approximately 2010, converted a substantial fraction of what would have been grey-hat work into something closer to white-hat work. The framework’s key elements:

• Initial private notification to the vendor through a published Vulnerability Disclosure Policy (VDP) channel. Most major vendors publish VDPs identifying the point of contact (often security@vendor.com or a dedicated form), the kind of information they want, and the response timeline they commit to. The published VDP is, in 2026, the canonical first step.
• A disclosure timeline, typically 90 days from initial notification to public disclosure, with possible adjustment based on patch availability and vendor cooperation. Project Zero’s 90-day default with 14-day grace period⁹ is the modal industry standard; some frameworks use longer (CERT/CC traditionally 45-day-default-with-extensions) or shorter (some hardware-vulnerability frameworks).
• Embargo discipline. Both researcher and vendor commit to not discussing the vulnerability publicly during the embargo period. Embargo breaks — by the researcher (early publication), by the vendor (early disclosure to favored customers or to government partners), or by third parties (sometimes journalists with vendor sources) — are a recurring source of friction.
• Public disclosure at the end of the embargo, regardless of patch status. The Project Zero norm is rigid; CERT/CC and some other frameworks allow vendor-side extension under specific circumstances.
• CVE assignment through the MITRE CVE Numbering Authorities (CNAs) and the National Vulnerability Database (NVD). The CVE assignment is the canonical permanent record of the vulnerability and credits the discovering researcher.

The CERT/CC framework¹¹ is the canonical multi-stakeholder version — used when the vulnerability affects multiple vendors (operating-system bugs, protocol bugs, library bugs). The CERT/CC coordinator manages the embargo across the affected vendor population, mediates timing disputes, and produces the eventual public advisory. The 2008 Kaminsky DNS coordination (Vol 6 §7.2) was the canonical large-scale CERT/CC-coordinated disclosure at internet-infrastructure scale; the 2014 Heartbleed coordination and the 2018 Meltdown/Spectre coordination were subsequent applications of the same template at similar scale.

The framework’s legal effect is not to convert the unauthorized research into authorized work — the CFAA exposure persists — but to substantially shape prosecutorial and civil-liability outcomes. A researcher who followed the framework in good faith is presenting the prosecutor with the cleanest possible “good-faith research” fact pattern; a vendor whose finding was responsibly disclosed has substantially less civil-litigation incentive than one whose finding was publicly embarrassed. The framework is the mitigation pathway; it is not the legal defense.

The disclosure decision is where the grey-hat lifecycle most clearly differs from the white-hat lifecycle. A white-hat engagement’s terminal deliverable is a report to the client; a grey-hat researcher’s terminal deliverable is the disclosure pathway choice itself. The coordinated-disclosure pathway is the canonical grey-to-white reconciliation; it minimizes legal hazard and maximizes reputational benefit. The other pathways have their place — full disclosure for unresponsive vendors; broker sale for the structurally-different commercial pathway; sit-on-it as the long-tail default — but the coordinated-disclosure pathway is the one the 2026 institutional infrastructure (bug-bounty programs, CVD policies, the 2022 DoJ policy framework, the CERT/CC coordination service) is built to support.

4.4 What happens when the vendor is uncooperative, unresponsive, or hostile

A scenario that recurs in the grey-hat literature: the researcher notifies the vendor, the vendor either ignores the notification, denies the vulnerability is real, threatens legal action against the researcher, or attempts to coerce the researcher into silence. The handling of this scenario is a recurring grey-hat tradecraft question.

The canonical response chain in 2026:

1. Document everything. Every email, every response, every silence. The eventual public-disclosure post or the eventual civil-litigation defense will draw on this documentation.
2. Escalate within the vendor. If the security team’s inbox is unresponsive, try the company’s CISO directly. If the CISO is unresponsive, try executive contacts. Many uncooperative-vendor scenarios resolve at the executive-escalation layer when the security team is overburdened or under-empowered.
3. Engage CERT/CC as a neutral coordinator. CERT/CC has, for several decades, served as the canonical third-party coordinator for difficult vulnerability disclosure cases. The coordinator can sometimes break embargoes that the vendor refuses to engage with through other channels.
4. Engage CISA for vulnerabilities affecting U.S. critical infrastructure or government systems. CISA’s Coordinated Vulnerability Disclosure (CVD) service¹³ is the canonical government-coordinator version.
5. Engage the EFF or other public-interest legal organizations if the vendor’s response involves legal threats. The EFF’s Coders’ Rights Project provides legal support to researchers facing vendor pressure; multiple historically-significant cases (Dmitri Sklyarov / DMCA 2001; Aaron Swartz; David Maynor / Lynn / Cisco IOS heap overflow 2005) involved EFF-supported legal defense of researchers.
6. Public disclosure as the last resort, with the documented record of vendor-uncooperation as the justification. The Project Zero 90-day deadline is the structural innovation that legitimized this approach — the deadline is fixed regardless of vendor cooperation, and the public-disclosure threat motivates vendor engagement that “give us forever to fix it” frameworks did not.

The “vendor is hostile” subcategory is the most legally hazardous — a vendor who responds to disclosure with threats of CFAA prosecution or with civil litigation under DMCA §1201 anti-circumvention provisions or under trade-secret statutes (the 2016 Defend Trade Secrets Act adds a federal civil cause of action that has been used against researchers) creates substantial researcher exposure even where the research was constructively motivated. The EFF’s Coders’ Rights Project and similar organizations are the canonical resources; researchers without legal-support infrastructure are at substantial disadvantage in this scenario.

---

5. A day in the life — the independent researcher

The abstract methodology of §4 looks much more concrete from inside three composite working narratives. Each captures a different point in the grey-hat distribution — the bug-bounty researcher operating at the edge of program scope (the closest-to-white-hat case), the independent researcher operating with no formal scope (the canonical grey-hat case), and the “I hacked it to prove it” actor operating with deliberately public posture (the most exposed case). The narratives are composite, drawn from publicly available conference talks (DEF CON, Black Hat, CCC, RECon), researcher blog posts, and the documented case-law literature; the patterns are real even where the specific individuals are not.

5.1 The bug-bounty researcher operating at the edge of scope

Maya is a full-time independent bug-bounty researcher. She left a software-engineering day job approximately three years ago after her bounty income exceeded her engineering salary for four consecutive quarters; in 2026 she is in the top several hundred globally on HackerOne reputation, with a year-prior bounty income in the mid-six-figures. She differs from Vol 6 §5.3’s Emily in two ways: bounty work is her primary income (not a supplement), and she works at the edge of programs’ scope much more deliberately than Emily does — Emily is risk-averse and stays well inside the scope’s defined envelope; Maya hunts specifically for findings that might be in scope, finds things that probably aren’t, and has developed substantial skill in navigating the disclosure-with-cooperation pathway when the finding exceeds the program’s authorization envelope.

Wednesday morning, 10:00 AM. Maya is at her home-office desk, second coffee of the day. She works approximately the rhythm of a working consultant — productive hours roughly 9:00–13:00 and 15:00–19:00, with a midday break — but the schedule is entirely under her control. Today she’s continuing work on a SaaS provider’s HackerOne program she’s been hunting in for two weeks. The program’s published scope is “anything under *.example.com except the legacy.example.com subdomain which is a third-party service we don’t operate”; the safe-harbor language is standard HackerOne text, with the additional clause “we do not authorize testing of systems that handle our customers’ personal data beyond what is necessary to demonstrate the vulnerability.”

The customer-data clause is the edge Maya is working today. She’s spent the last two days finding an authorization-bypass in the provider’s API that lets her, given an authenticated session to her own account, retrieve metadata about other accounts. The metadata fields she can retrieve are limited (organization name, creation date, plan tier, approximate seat count) but the retrieval works against any account number she supplies. The question for Maya: is this finding inside the scope or outside?

Three considerations. First, the API endpoint she’s exploiting is under api.example.com, which is unambiguously in-scope per the published list. Second, the bypass produces metadata that identifies other customers — which is, in the strict reading of the “do not authorize testing of systems that handle our customers’ personal data” clause, exactly what the program prohibits. Third, the metadata she’s retrieved is from accounts that she created (using throwaway email addresses to test the bypass against multiple known account numbers), so the “customers’ personal data” element is technically empty — but the bypass would let her retrieve real customer metadata if she chose to.

Maya’s discipline here is the bug-bounty-edge tradecraft she’s developed over five years of program work:

• She has not retrieved real customer metadata. Every account she’s queried is one she created. The finding is demonstrably exploitable against real accounts (she could query account 12345 and get the result), but she has not actually done so.
• She has documented the limit she stopped at. Her working notes include the explicit statement “stopped at exploiting against own-created accounts; did not query real customer account numbers.”
• She is filing the report through HackerOne’s standard pipeline, with the finding flagged as “potentially out-of-scope under §X of program rules — researcher’s interpretation: in-scope based on endpoint listing; conservative interpretation: out-of-scope based on customer-data clause; requesting program-team determination.”

The “request program-team determination” framing is the load-bearing tradecraft. By flagging the ambiguity proactively, Maya converts a potentially-out-of-scope finding into a program-team discussion; the program team can either confirm the finding is in-scope (in which case it pays a bounty under the standard process) or flag it as out-of-scope (in which case Maya’s record shows she stopped at the edge in good faith). The pattern is well-developed in the bug-bounty community and is the canonical “edge of scope” working discipline.

The afternoon work is unrelated — a different program, a different finding. Maya rotates programs aggressively because she’s found that the marginal-value-of-time on any single program decreases sharply after the first month of active hunting. Her portfolio of active programs is roughly twenty at any time; she rotates through them based on recent activity, recent program-rule changes, and her sense of “where there’s still uncaptured low-hanging fruit.” The variety is what keeps the work intellectually sustainable.

By 5:00 PM Maya has filed the morning’s report and made progress on the afternoon’s. The program-team determination for the morning’s finding will probably come back within 24–48 hours; if it’s in-scope, the bounty (her best guess: $4,000–$8,000 for a finding of this class) will arrive within 30 days. If it’s out-of-scope, the program team may pay a small “thank you” bounty for the responsible-edge-discipline disclosure, or may ask Maya to delete her working notes; the deletion-request pathway is well-handled in the community.

The differences from Emily’s evening rhythm (Vol 6 §5.3) are substantial. Emily works inside-the-scope and finds well-defined IDORs; Maya works at-the-edge and navigates the disclosure-determination pathway as part of her finding’s lifecycle. Emily’s bounty income is supplementary; Maya’s is primary. Emily treats program rules as fixed boundaries; Maya treats them as a starting position for a negotiation. The two researchers are both white-hat-by-program-scope, but Maya’s posture is, in the moral-and-tradecraft sense, closer to grey-hat work than Emily’s is.

5.2 The independent researcher with no formal scope

Jordan is an independent vulnerability researcher with a part-time consulting practice and a substantial DEF CON / Black Hat speaking record. He doesn’t operate under bug-bounty programs primarily — he targets categories of systems (industrial protocols, automotive ECUs, consumer IoT, medical devices) where bug-bounty programs are sparse or nonexistent. His research is independently motivated, independently funded (his consulting practice is the income; the research is his interest), and disclosed through some combination of vendor coordination (when there’s a vendor with an obvious VDP), CERT/CC mediation (when the vulnerability affects multiple vendors), and DEF CON / Black Hat presentation (when the work is broad enough for a conference talk).

A typical Tuesday for Jordan is structurally different from Sarah’s (Vol 6 §5.1) consultancy day, David’s (Vol 6 §5.2) in-house red-team day, Emily’s (Vol 6 §5.3) bounty evening, or Maya’s (§5.1 above) full-time bounty hunting. Jordan’s week structure has long stretches of focused research punctuated by sparse outreach, conference-talk preparation, occasional consulting engagements, and the disclosure-pathway navigation that recurs as findings mature.

This Tuesday Jordan is six weeks into a research project on a specific category of consumer IoT — a class of internet-connected security cameras manufactured by a Chinese OEM and sold globally under perhaps fifteen different brand labels (the white-label OEM pattern that recurs in consumer IoT). His starting hypothesis: cameras in this product family have a hardcoded default credential that’s not actually disabled when the user “changes” the password through the app. He’s been working through a sample population of devices acquired second-hand on eBay and Goodwill (a deliberate choice — the devices are post-consumer and the original owner has no continuing interest in them, which substantially reduces the “you broke into someone’s camera” framing).

The morning’s work is firmware analysis. He extracted the firmware from one of the devices last week (a standard procedure: identify the flash chip, dump it via a hardware programmer, decompose the image with binwalk and firmware-mod-kit); today he’s working through the resulting filesystem to identify the credential-storage path. His tooling: Ghidra for binary analysis of the auth-related binaries (the firmware is ARM, mostly unstripped — a fortunate accident of the OEM’s build pipeline), Python scripts for the various data extraction passes, and an extensive working journal that documents every observation and every assumption tested.

By midday he’s confirmed the hypothesis. The cameras have a factory credential pair (admin / 888888) that is reachable through the device’s web-administration interface on a specific port (8080, in some firmware versions; 80 in others) regardless of whether the user-facing app has been used to change the password. The user-facing password applies to the app’s connection path; the web-administration interface uses a separate credential database that the app never touches. The user thinks they’ve changed the password; the underlying admin interface remains exposed to anyone who can reach the device’s IP on the right port.

The Wednesday-and-Thursday work will be vendor identification. The white-label OEM pattern means the firmware was authored by one entity but the devices are sold by many; Jordan needs to identify the OEM (not always easy when consumer-IoT documentation is sparse) and then identify the brand-labeled vendors who would need to push firmware updates. This is the kind of work CERT/CC excels at — they have established channels into many consumer-IoT OEMs that an individual researcher does not — and Jordan will likely engage CERT/CC for the multi-vendor coordination once he has the OEM identified.

The disclosure decision point for Jordan, when the research is mature enough to disclose, is: CERT/CC-mediated coordinated disclosure with a 90-day deadline. He’ll publish the technical detail at the next available DEF CON (or CCC, depending on timing) after the deadline expires. The deadline mechanism is what makes the disclosure pathway actually work — without it, the consumer-IoT OEM has no incentive to patch (the patch costs money; the disclosure is the only thing that creates business pressure to fix). The 90-day window is the structural innovation that has converted grey-hat IoT research from an obscure activist activity to a substantially-mainstream industrial process.

Jordan’s day job — the part-time consulting practice — fills the rest of his week. He carries OSCP and a couple of more-advanced practical certs; his consulting clients are mostly enterprise security teams who need ad-hoc deep-dives on specific protocols or platforms; the consulting work funds the research time. The arrangement is increasingly common in the senior independent-researcher population (the canonical examples — Mark Dowd’s Azimuth Security, Charlie Miller’s pre-Twitter independent period — followed similar patterns).

Jordan’s posture across the day is unambiguously grey-hat — he is conducting unauthorized research against devices whose OEM has not authorized it — but his methodology is the most mature version of the grey-hat-to-coordinated-disclosure pathway. The acquisition-from-second-hand-market discipline is one structural choice that minimizes the conduct’s most-objectionable edges; the CERT/CC coordination is another; the public-disclosure-after-90-days deadline is a third. The cumulative effect is research that, while technically unauthorized, presents the smallest possible “good-faith research” fact pattern that the 2022 DoJ policy contemplates.

5.3 The “I hacked it to prove it” actor

Alex is a researcher whose career has had a different shape from Maya’s or Jordan’s. Approximately a decade ago, in Alex’s mid-twenties, he discovered a serious vulnerability in a major U.S. corporation’s customer-facing infrastructure — the kind of finding that, in the bug-bounty era, would have been worth a substantial five-figure bounty. The corporation had no bug-bounty program at the time and had a published “report security issues here” channel that, in Alex’s experience, simply did not respond.

Alex made what he believed at the time was a constructive decision: he published the vulnerability technical detail, with working proof-of-concept code, on his personal blog and to a Twitter audience that included several security journalists. The disclosure was unilateral — no advance vendor notification (Alex had given up after the unresponsive channel; he made no further attempts before publication) and no coordination with any third party. His framing in the published post was explicitly “hacked it to prove it was broken; the vendor refuses to engage; here’s the detail so the public can protect themselves.” Two reporters (Brian Krebs and one other) covered the story; the corporation’s stock dropped briefly; the patch was deployed within forty-eight hours; the public news cycle moved on within a week.

What did not move on was the corporation’s legal response. Three months later, Alex was served with a civil complaint under the CFAA’s private cause of action at 18 U.S.C. § 1030(g) — the same statute the DoJ uses for criminal prosecution, applied as a private civil suit. The complaint alleged unauthorized access, sought $X million in damages (where X was a number Alex would not previously have believed was possible to claim), and named Alex personally rather than any pseudonymous identity. The corporation’s legal calculation was that the public-disclosure-as-coercion framing was unsympathetic enough to a jury that they could pursue civil damages without the criminal prosecution that the DoJ had (then) declined to pursue.

Alex’s defense — managed pro bono by the EFF’s Coders’ Rights Project — argued that the conduct was good-faith security research, that the corporation’s failure to engage with the published vulnerability-disclosure channel constituted abandonment of the implicit prohibition, and that the public-disclosure was the only available pathway given vendor unresponsiveness. The case settled four years later for an undisclosed sum (Alex believes the settlement is in the low five figures, far below the original demand but not zero). Alex’s own legal costs across the four years were substantial; the EFF representation covered the legal-fee tier but not the lost-time cost.

In the years since the case settled, Alex has continued security research but with substantially different discipline. He now operates exclusively under bug-bounty programs or under coordinated-disclosure relationships established before any research begins. He explicitly identifies the experience as the one that converted him from “public-stunt grey-hat” to “program-only researcher”; he speaks about it at conferences (carefully — the settlement included a partial-nondisclosure provision that constrains what he can say about the specific corporation, but not the general pattern). His posture today is, technically, white-hat-by-program-scope.

The lesson the Alex composite carries: the “I hacked it to prove it” public-disclosure stunt is the most legally exposed grey-hat posture even when the prosecutor declines to charge. Civil liability is the residual exposure, and civil liability is uncapped. The 2022 DoJ policy does not bind private plaintiffs. The four-year multi-million-dollar civil action against a researcher whose conduct was technically constructive is the cautionary case the §1.1 callout warns about; Alex’s experience is composite but the pattern is documented (Andrew Auernheimer / weev in §7.4 is the criminal-prosecution version; the civil-only version is less famous but more common — Sony BMG v. Reardon type configurations, the Pirate Bay / Sweden civil-prosecution-by-rights-holders pattern, the EU “right to be forgotten” civil cases that have caught security researchers in their net).

Alex’s trajectory — from grey-hat-public-stunt through civil litigation to program-only researcher — is the most-exposed example of the grey-to-white conversion pathway §6 will treat at depth. The conversion happened, but at substantial cost; the cost is what makes the white-hat-by-program-scope discipline that Maya and Emily operate in look like the smart-defaults configuration that it is.

5.4 Comparing the three rhythms

Three grey-hat working postures — the comparison. Maya’s bug-bounty-edge work is fast-paced, multi-program, and operates inside the bug-bounty institutional infrastructure — the closest-to-white-hat of the three. Jordan’s independent-research work is slow-paced, single-project-for-months, and uses CERT/CC and the conference circuit to navigate the disclosure pathway — the canonical mature grey-hat configuration. Alex’s earlier public-stunt work was the most exposed of the three and produced the cautionary trajectory — the §7.4 weev / Auernheimer case is the canonical extreme version of this configuration. The three configurations share the grey-hat-by-Axis-1-stance signature but differ substantially in their day-to-day texture, their disclosure pathway, and their legal-and-civil exposure. The trajectory of mature grey-hat researchers in 2026 is increasingly toward Maya’s bug-bounty-edge posture (the highest-margin / lowest-exposure path) and Jordan’s CERT/CC-mediated posture (the mature independent-researcher path); the Alex-style unilateral-public-stunt path persists but at much-smaller fraction of working researcher activity.

---

6. How they get hired — the grey-to-white conversion pathway

The grey-hat-to-white-hat career conversion is, in 2026, the single most-documented professional pathway in the security industry. The pattern is well-attested in industry interviews (Risky Business, Darknet Diaries, Recon Village, DEF CON / Black Hat speaker bios, the broader podcast-and-blog circuit) and in the working population of senior security researchers — many of whom describe a career that began with unauthorized exploration in their teens or early twenties and matured into bug-bounty-and-consulting work and eventually into in-house security roles. This section walks the conversion pathway through four canonical legitimization mechanisms, the legal-exposure framing that limits how aggressive the conversion can be in 2026, and the credential and portfolio considerations that intersect with Vol 6 §6’s white-hat treatment.

6.1 Bug bounty as the formal legitimization

The bug-bounty industry — HackerOne (founded 2012 by Alex Rice, Merijn Terheggen, Michiel Prins, Jobert Abma), Bugcrowd (Casey Ellis, 2011/12), Synack (2013), Intigriti (2016, EU-focused), YesWeHack (2013, EU-focused), and the company-direct programs — is the structural innovation that has, since approximately 2015, converted a substantial fraction of grey-hat work into white-hat work under program scope¹⁴. Vol 4 §5 walked the platform history at depth; Vol 6 §6.4 walked the bug-bounty career mode as a white-hat configuration. This section focuses on the grey-to-white conversion mechanism that bug-bounty programs provide.

The conversion mechanism works in two ways:

• Forward conversion: a researcher’s first authorization envelope. A practitioner who would have, in 1998, hunted for vulnerabilities without authorization and disclosed through Phrack or Bugtraq, in 2026 signs up for HackerOne, picks a program with a clearly-published scope, and operates inside that scope. The bug-bounty platform provides the authorization envelope (scope + safe-harbor language) that the practitioner could not have produced for themselves. The same technical work that was grey-hat in 1998 is white-hat in 2026 by virtue of the platform’s intermediation.
• Backward conversion: legitimizing past grey-hat work. A practitioner who discovered a vulnerability through unauthorized research and is now considering disclosure can, in many cases, route the disclosure through the affected vendor’s bug-bounty program (or through HackerOne’s Disclose program, which accepts disclosures even for vendors without published programs). The disclosure-through-program pathway substantially reduces legal exposure compared to direct unauthorized-disclosure pathways. Whether the program will pay a bounty for research conducted before the disclosure is program-specific; some programs explicitly disqualify out-of-scope-by-time findings, others pay the standard bounty regardless, others negotiate ad-hoc. The conversion-of-past-findings is well-handled in the community.

The bug-bounty platform’s safe-harbor language is the load-bearing legal element. The canonical HackerOne safe-harbor template¹⁵ commits the participating organization to:

• Authorizing good-faith research as in-scope under CFAA and similar statutes
• Not pursuing legal action against researchers who follow the program’s rules
• Working with the researcher to clarify ambiguous scope
• Acknowledging the researcher’s contribution publicly (subject to disclosure preferences)

The safe-harbor language is not a CFAA exemption — only Congress can provide that — but it functions as a binding contract between the participating organization and the researcher that the organization will not pursue legal action against research conducted within scope. The contract does not bind the DoJ (which retains independent statutory authority) but does bind the organization’s civil-litigation pathway. The 2022 DoJ policy framework explicitly recognized bug-bounty-program participation as a strong indicator of good-faith research³.

The bug-bounty platforms collectively cover a substantial fraction of the modern internet’s high-value attack surface — every major SaaS provider, every major cloud platform, most major financial-services providers, most major government agencies through bug-bounty-program intermediation. The category that remains under-covered: consumer IoT (because the manufacturers are often offshore and lack the security-program maturity), industrial protocols (because the ICS market is conservative and bug-bounty adoption has been slow), and various legacy-enterprise environments. The Jordan composite of §5.2 operates specifically in the under-covered space because that’s where the platform-mediated conversion-of-grey-to-white pathway is unavailable.

6.2 CVE disclosure as the portfolio signal

The second canonical legitimization pathway is published CVEs — the vulnerability records assigned through the MITRE CVE Numbering Authorities (CNAs) and listed in the National Vulnerability Database (NVD). A working grey-hat researcher’s portfolio in 2026 is, increasingly, a list of CVE identifiers with the researcher named as discoverer; the CVE list is the canonical evidence-of-skill artifact that hiring managers in offensive-security roles weight most heavily.

The CVE-disclosure pathway works whether or not the underlying research was conducted under bug-bounty scope:

• Bug-bounty-disclosed CVE. A finding submitted through HackerOne or equivalent, accepted by the program, eventually published as a CVE (some programs assign their own CVEs as CNAs; others let MITRE do the assignment). The researcher’s name appears in the CVE record. This is the modal pathway in 2026.
• CERT/CC-mediated CVE. A finding disclosed through CERT/CC, eventually published as a CVE via the CERT/CC CNA. The Jordan composite of §5.2 produces CVEs through this pathway.
• Vendor-direct CVE. A finding disclosed through a vendor’s VDP, eventually published as a CVE via the vendor’s CNA (Microsoft, Adobe, Cisco, Google, and many other vendors are CNAs). The researcher’s name appears in the CVE record.
• Independent CVE. A finding for which the researcher requests a CVE directly from MITRE without vendor cooperation. The pathway exists but is less common; MITRE will assign CVEs for genuine vulnerabilities even when the vendor disputes them.

The CVE list functions, in the offensive-security hiring market, as the practical-skill credential that the formal certifications of Vol 6 §6.1 sometimes don’t capture. A candidate with three OSCPs and no CVEs is competitive for entry-level positions; a candidate with two CVEs and no OSCPs is often more competitive for the same positions because the CVEs are external-validation of actual vulnerability-discovery skill. The hiring market’s increasing reliance on CVE-as-credential is one of the structural reasons the grey-to-white pathway works in 2026.

6.3 Conference talks as the public-recognition pathway

The third canonical legitimization pathway is conference talks — DEF CON, Black Hat, CCC (Chaos Communication Congress), RECon, USENIX Security, NDSS, ACSAC, and the broader academic-and-industry security-conference circuit. A researcher who has presented a substantial talk at any major venue carries permanent professional recognition; a researcher with multiple talks across multiple venues is in a hiring-market position substantially stronger than the credential-only candidate.

The conference-talk pathway has structural-grey-hat-friendly properties:

• The venues largely treat unauthorized research as research-by-default. DEF CON and Black Hat in particular operate from the implicit assumption that the technical content presented is good-faith research regardless of authorization status. The conference review process focuses on technical-quality-and-novelty rather than authorization-status; the audience perception is similar.
• The conference presence is the modal public-record artifact. Conference talks are the public-record signal that the researcher exists, has done work, and is part of the practitioner community. The 2017 DEF CON Marcus Hutchins arrest (Vol 6 §7.5; Vol 7 §2.3) was the post-conference-arrest pattern that complicates this — the conference attendance can in some cases produce exposure for actors with prior unrelated black-hat-era conduct — but the conference itself functions as a research-recognition venue, not an enforcement venue.
• The conference circuit has its own informal credential ladder. First time at DEF CON’s main track is itself a credential; multiple DEF CON or Black Hat talks across years signal increasing seniority. The Pwn2Own competition (Vol 4 §3.4) is the most-watched annual venue; CCC-track talks are the canonical European equivalent.

The Jordan composite of §5.2 explicitly uses the conference circuit as a primary outcome pathway — the 90-day deadline mechanism builds the disclosure timeline around the next available DEF CON or CCC slot. The pattern is well-developed in the senior independent-researcher population.

6.4 Direct recruitment from disclosure track record

The fourth legitimization pathway is direct recruitment — a researcher whose CVE list, conference-talk record, or specific high-profile finding catches the attention of a hiring manager who reaches out directly. The pathway is the highest-friction (it requires the researcher to have produced sufficient signal) and the highest-value (the recruitment is for a specific position with specific compensation negotiated against the researcher’s demonstrated capability).

The direct-recruitment pathway operates differently across sectors:

• Private-sector security firms (consultancies, in-house red teams, security-product vendors) recruit aggressively from the conference-talk and CVE-disclosure population. The recruitment timing is opportunistic — a notable finding produces a recruitment cycle; a quiet year produces no offers.
• U.S. federal government offensive-operations roles (NSA TAO, USCC, DoD red teams, occasional FBI cyber) recruit from the disclosure population with clearance-and-classification overlays that change the working day substantially. Vol 6 §6.4 walked the government-recruitment pattern from the white-hat side; the grey-to-government pathway has the additional complication that historical grey-hat-era conduct can produce clearance-investigation findings. The general principle is that conduct that has been publicly disclosed and resolved (a CVE assignment; an academic-paper publication; a coordinated-disclosure track record) is much less of a clearance issue than undisclosed-or-shadowy work. Some researchers explicitly maximize disclosure precisely to clear the clearance-investigation pathway.
• Cybersecurity-product vendors recruit specialized researchers for their specific product domains — Microsoft for Windows-internals researchers, Google for Chrome and Android, Apple for macOS and iOS, and so on. The recruitment is often through the vendor’s bug-bounty program — a researcher whose findings the vendor has paid for becomes a known quantity, and the vendor’s recruiter reaches out.
• Academic positions in security-research labs (CMU, MIT, Stanford, Berkeley, ETH, KU Leuven, and many others) recruit from the academic-and-industry boundary; the researcher’s CVE-and-paper-track-record is the load-bearing signal. The academic pathway has a longer-cycle structure (PhD program → faculty position) that doesn’t directly apply to most working researchers but is the canonical path for the deepest-technical figures.

6.5 The legal-exposure ceiling on the conversion pathway

The grey-to-white conversion pathway works in 2026 because the legal-exposure framing has shifted in researcher-friendly directions across the 2010s and 2020s:

• The 2022 DoJ policy update (Vol 4 §5.3) provides prosecutorial discretion for good-faith security research at the federal level.
• The Project Zero 90-day coordinated-disclosure norm has been adopted across most major vendors; the structural pressure is for vendors to engage rather than litigate.
• The bug-bounty platforms have made the program-and-safe-harbor configuration the modal authorization mechanism for independent research; the platform-mediated pathway substantially reduces legal exposure.
• The post-2018 GDPR-and-equivalent regulatory environments have given researchers some implicit cover for research that touches personal data — a researcher who reports a data-breach finding is sometimes positioned as a protection for affected data subjects rather than an attacker.

But the legal-exposure framing is not a hard ceiling. The risks that persist in 2026:

• State-level prosecution. Federal policy does not bind state prosecutors. The grey-hat researcher operating against a target with strong relationships in the local state law-enforcement community can face state-level charges where the federal level would decline. The undermapped nature of state-level CFAA-equivalent exposure is a recurring researcher-community concern.
• Civil liability. Section 1030(g)‘s private cause of action is independent of the DoJ; affected organizations retain the right to pursue civil action regardless of federal-policy choices. The Alex composite of §5.3 walks this case.
• International exposure. A U.S.-based researcher targeting a non-U.S. organization can face foreign-jurisdiction prosecution that U.S. domestic policy doesn’t address. Several historically-significant cases (Sklyarov 2001 / DMCA; the Operation Bayonet / Hutchins 2017 international-arrest pattern) illustrate the exposure pattern.
• Vendor-side legal pressure short of litigation. Even where vendors don’t pursue formal civil action, the threat of action — DMCA §1201 anti-circumvention claims, trade-secret claims under the 2016 Defend Trade Secrets Act, copyright claims — can produce substantial researcher cost without ever reaching court. The EFF Coders’ Rights Project¹⁶ is the canonical legal-defense resource for researchers facing this configuration.

The conversion pathway works, but it works inside a legal-exposure envelope that the researcher does not control. The §6.4 mature-grey-hat configuration is the one that maximally manages within the envelope; the §5.3 public-stunt configuration is the one that exits the envelope and accepts the consequence.

6.6 The pathway matrix

Pathway	Time-to-stable-income	Pre-conversion income	Legal exposure	Notable examples
Bug-bounty as primary	1–3 years from first-CVE-disclosed to stable bounty income	Researcher’s day-job baseline; bounty income builds gradually	Lowest of the four — platform safe-harbor + 2022 DoJ policy + civil-exposure-reduced via vendor cooperation	Maya (§5.1) composite; many HackerOne top-100 researchers; the broader Hack the Pentagon (2016+) cohort
CVE-disclosure portfolio → consulting	2–4 years to consultancy associate; 4–7 to senior	Day-job baseline; CVE work is unpaid until conversion	Moderate — the underlying research’s CFAA exposure persists; coordinated-disclosure pathway mitigates	Mark Dowd → Azimuth Security; Justin Schuh; many of the figure-7 senior-researcher cohort
Conference-talk track → direct recruitment	3–5 years from first major talk to senior position	Day-job baseline; talk work is unpaid until recognition produces offers	Moderate — the conference circuit is research-recognition-friendly; the actor’s prior conduct is the variable	Joanna Rutkowska → Invisible Things Lab; HD Moore (Vol 6 §7.3); many DEF CON speakers’ senior-position pathways
High-profile single finding → recruitment	Variable; sometimes instant, often years	Often pre-career or early-career; the finding is the conversion event	Moderate-to-high — single high-profile findings produce both recruitment-interest and litigation-interest	Kaminsky’s pre-2008 trajectory; many of the Pwn2Own competitors; some of the early Project Zero hires

Table 8.4 — The four canonical grey-to-white legitimization pathways with time, income, exposure, and example mapping. The pathways are not mutually exclusive — most senior researchers walked at least two of them across a career — and the “time-to-stable-income” column is approximate, varying substantially by individual capability and luck. The “notable examples” column draws from §7 and from the Vol 6 §7 white-hat-side roster; many of the figures in those rosters had grey-hat phases earlier in their careers.

6.7 Certifications and credentials — the difference from Vol 6 §6.1

Vol 6 §6.1 walked the certification ladder (OSCP / PNPT / CRTO / OSEP-OSCE-OSED-OSEE / SANS GIAC / CISSP / CEH / CompTIA Security+) for the white-hat hiring market. The grey-to-white conversion pathway uses the same certifications but with different weighting:

• The OSCP and the practical-exam-tier credentials function the same way they do for the white-hat market — they demonstrate hands-on competence and open the entry-level door.
• The disclosure-track-record portfolio is, however, a much stronger signal than the cert alone for senior positions. A candidate with no OSCP but five published CVEs and two DEF CON talks is competitive for senior independent-research and consultancy-senior positions; the certs are not the load-bearing signal.
• The CISSP and the management-tier credentials play essentially no role in the grey-to-white pathway. CISSP is for management positions that the grey-hat-converter typically does not enter through the conversion pathway; the conversion goes to working-researcher and senior-researcher roles where CISSP is irrelevant.
• The certs that demonstrate offensive specialization (CRTO, OSEP, OSED, OSEE) are weighted similarly to the white-hat market — they signal the candidate has specific advanced skills. The disclosure track record is, again, the dominant variable.

The summary, as Vol 6 §6.1’s closing observation already noted: the credential market is the floor; the portfolio is the differentiator. In the grey-to-white conversion case, the portfolio is the disclosure track record — CVEs, conference talks, public-research publication. The certs are useful but not load-bearing; the disclosure history is the load-bearing signal.

6.8 Forward reference to Vol 18

Vol 18 (Careers), when authored in Phase 3, will treat the synthesis career pathway across all the hat colors — the white / grey / blue / red / purple working-career configurations as a single integrated framework. The grey-to-white conversion pathway will be one element of the broader career synthesis; the bug-bounty career mode of Vol 6 §6.4 and §6.1 above will be another; the in-house and consultancy modes of Vol 6 §6.4 will be a third. The cross-hat pattern is that most senior security careers in 2026 walked at least two and often three of these pathways; the modal career arc is something like “early grey-hat exploration → bug-bounty conversion → consultancy → in-house seniority → late-career independent”. The full synthesis treatment is in Vol 18; this section’s grey-to-white treatment is the input that Vol 18 will integrate.

---

7. Famous figures

A short roster of grey-hat practitioners (and one institutional case, and one cautionary case) whose work shaped the field. The selection emphasizes figures whose career trajectory is documented in public record, whose work is principally in the unauthorized-but-constructive position on Axis 1, and whose handling of the disclosure decision point is itself instructive. The intent is not exhaustive — the grey-hat practitioner population is large and the figures here are illustrative — but to ground the abstract definitional and methodological treatment of §§1–6 in real careers.

Career-position claims for living researchers are accurate as of early 2026; verify current employer via the cited footnote primary sources before relying on this for outreach.

7.1 L0pht Heavy Industries — the canonical grey-hat collective

Figure 8.2 — Cris Thomas (Space Rogue), L0pht alumnus and one of the May 19, 1998 Senate testifiers. File:American hacker Space Rogue (Cris Thomas).jpg by Eatoz. License: CC BY-SA 4.0 (https://creativecommons.org/licenses/by-sa/4.0). Via Wikimedia Commons (https://commons.wikimedia.org/wiki/File%3AAmerican%20hacker%20Space%20Rogue%20(Cris%20Thomas).jpg).

Figure 8.3 — Peiter “Mudge” Zatko at DARPA. File:Peiter Zatko at DARPA.jpg by DoD. Pentagon official photo created as part of official duties as a US govt employee. License: Public domain. Via Wikimedia Commons (https://commons.wikimedia.org/wiki/File%3APeiter%20Zatko%20at%20DARPA.jpg).

L0pht Heavy Industries — founded approximately 1992 in Boston as a shared hacker workspace by Brian Oblivion, Count Zero, and several others, with the membership stabilizing across the early-1990s — is the canonical grey-hat collective institution. Vol 3 §6.5 and Vol 5 §5.3 walked the historical material at depth; this profile focuses on what L0pht meant for the grey-hat-as-category framing.

The collective operated as a research workspace where membership conducted vulnerability research against commercial software and disclosed through advisories, Phrack articles, and the L0pht’s own Security Advisories. The disclosure practice was often full-disclosure — publication of technical detail simultaneously with vendor notification, deliberately confrontational toward vendors whose security posture was inadequate. L0pht’s L0phtCrack (Windows password cracker, originally released 1997 by Mudge) was the canonical tool released through this workflow and became one of the foundational artifacts of the commercial pentest industry that subsequently formed¹⁷.

The May 19, 1998 Senate testimony⁶ — the canonical seven testifiers Brian Oblivion, Kingpin (Joe Grand), Mudge (Peiter Zatko), Space Rogue (Cris Thomas), Stefan Von Neumann, John Tan, and Weld Pond (Chris Wysopal) appearing before the Senate Committee on Governmental Affairs at the hearing titled “Weak Computer Security in Government: Is the Public at Risk?” — is the inflection point at which grey-hat-as-category became institutionally visible. The “take down the Internet in 30 minutes” line was the press-friendly summary; the substantive content was a structural critique of commercial-software vendor security posture and a proposal for government engagement with the security-research community.

Commercialization arrived in early 2000. The collective merged with @stake, the Boston security-consulting firm that became one of the canonical first-generation pentest consultancies (covered in Vol 4 §2.2). Symantec acquired @stake in 2004 and folded the practice into its consulting arm. The L0pht alumni’s subsequent careers represent the canonical grey-to-white conversion pathway:

• Mudge / Peiter Zatko joined DARPA in 2010, leading the Cyber Fast Track program; subsequently moved through Google (2013–2015), Stripe (head of security 2015–2020), Twitter (head of security 2020–2022, with the contested 2022 departure and whistleblower disclosure), CISA (Senior Technical Advisor, September 2023–), and returned to DARPA as Chief Information Officer (August 2024 onward, as of early 2026)¹⁸. The trajectory is the canonical “grey-hat collective alumnus into mainstream tech-and-government security” path.
• Chris Wysopal / Weld Pond co-founded Veracode in 2006, which became one of the largest application-security companies. The ownership chain: Computer Associates acquired Veracode in March 2017 ($614M); Broadcom acquired CA Technologies in 2018; Broadcom sold Veracode to Thoma Bravo in January 2019 ($950M); in March 2022 TA Associates acquired a majority stake at a $2.5B valuation, with Thoma Bravo retaining a minority position¹⁹. Wysopal remains Veracode’s founder and Chief Technology Officer in 2026 (Brian Roche took the CEO seat in April 2024, succeeding Sam King). The trajectory is the “grey-hat alumnus founds the next-generation security company” path.
• Joe Grand / Kingpin runs Grand Idea Studio (hardware-research consultancy) — substantial USB/cellular/embedded research, hardware-security teaching at Black Hat, and editorial work on Hardware Hacking (Syngress, 2004; Grand as co-editor). Joe Grand is also notable for the 2023 RoboForm password-generator recovery (~$3M, completed November 15, 2023), where he reverse-engineered the password generator’s seed-from-system-time flaw to recover a customer’s lost Bitcoin wallet — an unusually public demonstration of the hardware-research-into-financial-impact lineage²⁰.
• Cris Thomas / Space Rogue continued in security-research roles through @stake / Symantec / Tenable Network Security and is currently Global Strategy Lead at IBM X-Force²¹. The trajectory is the “grey-hat alumnus stays in security and rises through corporate hierarchies” path.

Why the case matters historically. L0pht is the canonical example of the grey-hat-collective-as-research-workspace pattern and of the grey-to-white conversion at the institutional level. The 1998 Senate testimony established that grey-hat researchers could engage productively with mainstream institutions; the 2000 @stake merger established that the institutional engagement could be commercialized. The alumni’s subsequent careers are the proof-of-concept for the conversion pathway §6 walks at depth. In 2026 the L0pht reference is the load-bearing historical anchor for any discussion of the grey-hat category.

7.2 Bunnie Huang — the principled grey-hat-by-philosophy exemplar

Figure 8.4 — Andrew “bunnie” Huang. File:Bunnie portrait cropped screenres.jpg by Pauline Ng. License: Public domain. Via Wikimedia Commons (https://commons.wikimedia.org/wiki/File%3ABunnie%20portrait%20cropped%20screenres.jpg).

Andrew “bunnie” Huang is the cleanest example of grey-hat-by-philosophy in the modern researcher population. Huang earned a PhD in Electrical Engineering from MIT in 2002 (advisor Tom Knight); his doctoral thesis was on the Xbox’s security architecture²², and the resulting book Hacking the Xbox: An Introduction to Reverse Engineering (No Starch Press, 2003)²³ is the canonical work in the area.

The book’s publication history is itself the load-bearing fact for this profile. Huang’s original publisher, Wiley, pulled commitment in early 2003 under Microsoft DMCA §1201 pressure — Wiley cited the Digital Millennium Copyright Act §1201 anti-circumvention provisions and unwillingness to defend a publication that Microsoft argued circumvented Xbox security²⁴. Huang responded by self-publishing the book in May 2003 under the Xenatera/Xeve label (ISBN 978-0974057507) — itself a substantive grey-hat-by-philosophy gesture, publishing at personal legal risk rather than suppressing the work. No Starch Press subsequently picked up the book for wider distribution (ISBN 978-1593270292), with Huang and No Starch arguing the book was straightforward security research and educational material rather than anti-circumvention conduct. The book remains in print in 2026; Microsoft has not pursued legal action against No Starch or Huang in the more than two decades since publication. The episode is the canonical example of vendor-side legal pressure short of litigation that nonetheless produced substantial researcher cost (Huang’s original publication pathway was killed; the book’s eventual publication required a different publisher and substantial researcher time-investment in the post-publication legal posture).

Huang’s subsequent career has been a sustained example of principled long-form public-good disclosure work:

• Chumby (co-founder, 2006) — the open-hardware Linux-based information-appliance company; the device’s hardware design was published under permissive licenses; the design philosophy emphasized user-modifiability and security research.
• Chibitronics (co-founder) — educational electronics products.
• Novena (2014) — open-hardware laptop project. The laptop’s design was published in full; the explicit design goal was a computer that the user could understand and modify at every level. The project’s writeup Novena: An Open Source Laptop is the canonical artifact of the open-hardware lineage Huang represents.
• Silicon-level security research — Huang’s work on chip-level reverse engineering, hardware Trojans, and supply-chain security has been substantial across the 2010s and 2020s. His blog bunniestudios.com publishes ongoing research at a sustained pace.
• The Shenzhen-electronics-tour writing — Huang’s The Essential Guide to Electronics in Shenzhen (2017) and the broader writing on the Shenzhen electronics ecosystem is the canonical work for understanding the supply-chain context of consumer electronics. The work is at the boundary of security research, supply-chain analysis, and economic-and-cultural reporting.

Why the case matters historically. Huang exemplifies the grey-hat-by-philosophy researcher whose work explicitly frames the unauthorized-research stance as a public-good commitment. The Xbox book’s publication story is the canonical vendor-legal-pressure case that researchers cite when discussing the institutional friction grey-hat work encounters. Huang’s subsequent career — the principled long-form work, the open-hardware lineage, the consistent public-good framing — is the proof-of-concept for the grey-hat configuration that operates explicitly outside the bug-bounty institutional infrastructure. In 2026, when senior researchers describe the grey-hat-as-philosophical-commitment configuration, Huang is the modal reference.

7.3 Mark Dowd — the technical-vulnerability-research exemplar

Mark Dowd is the canonical figure for deep technical vulnerability research at the edge of grey-hat and white-hat configurations. Dowd is co-author (with John McDonald and Justin Schuh) of The Art of Software Security Assessment (Addison-Wesley, 2006)²⁵ — the load-bearing reference work for the modern vulnerability-research practice and one of the most-cited technical security books of the 2000s. The book is the textbook for the kind of source-and-binary-analysis work that produces the high-severity vulnerabilities at the top of the modern threat landscape.

Dowd’s career has been at IBM ISS (X-Force) through approximately 2008, McAfee’s Foundstone, and since 2008 at Azimuth Security — the consultancy he co-founded with John McDonald. Azimuth Security is, in 2026, one of the most-recognized boutique vulnerability-research firms and has been substantially involved in the iOS-and-Android vulnerability-research market across the 2010s and 2020s; the firm was extensively covered in the 2018–2019 reporting on the post-Apple-vs-FBI legal-pressure environment, including Reuters’ 2021 reporting on Azimuth’s apparent role in the 2016 FBI iPhone unlock case (the San Bernardino iPhone incident)²⁶.

Dowd’s stance is closer to white-hat than grey-hat — Azimuth operates as a commercial firm with formal customer relationships, and Dowd’s individual research is increasingly under that institutional framework — but he often operates at the edge where the legal-and-ethical configuration is contested. The Azimuth example specifically is important: Azimuth conducts research for paying customers, and those customers include government agencies; the use of the research downstream is opaque to Azimuth and outside its control. The configuration is structurally similar to the Zerodium / NSO broker-tier of §4.2 Option C, but Azimuth’s customer-vetting practices are stricter than the canonical-broker case. Where on the grey-hat / white-hat / black-hat axis Azimuth sits is genuinely contested in the practitioner literature; the 2026 consensus is that the firm operates at the boundary where the contestation is most active.

Why the case matters historically. Dowd exemplifies the deep-technical-research figure whose career arc moved from individual researcher (the 2006 Art of Software Security Assessment era) through corporate-firm researcher (IBM ISS, McAfee) to founding-partner of a vulnerability-research firm (Azimuth Security). The trajectory is the canonical “grey-hat-talent into commercial-research-firm-leadership” path. The Azimuth example also illustrates the structural ambiguity at the firm-tier — even when a researcher operates inside a formal commercial framework, the firm’s posture on the white-hat / grey-hat / black-hat axis can be contested.

7.4 Andrew “weev” Auernheimer — the cautionary case

Andrew Auernheimer — known by the handle weev — is the canonical cautionary case for grey-hat work in the modern legal environment. The handling of this profile requires substantial care: the legal case is the load-bearing relevant fact, and the post-2014 personal trajectory is documented but tangential; the volume treats the legal case in primary depth and the post-2014 trajectory in flagged-but-not-sensationalized footnote complication.

The 2010 AT&T iPad email-harvesting incident. In June 2010, Auernheimer and Daniel Spitler (operating as the group Goatse Security) discovered a vulnerability in AT&T’s web infrastructure that returned an iPad customer’s email address when queried with the customer’s ICC-ID (integrated circuit card identifier) — a number that was, in 2010, predictable enough to be enumerated. Spitler wrote a script that walked through approximately 114,000 ICC-IDs and harvested the corresponding email addresses; Auernheimer subsequently provided the harvested data to Gawker (then a tech-news publication), which published a story on the vulnerability and the affected AT&T customer population (including several public figures whose iPad accounts had been on the list)²⁷.

The 2011 indictment and 2012 conviction. The U.S. Department of Justice indicted Auernheimer and Spitler in early 2011 on charges of conspiracy to access a computer without authorization (CFAA, 18 U.S.C. § 1030(a)(2)(C)) and identity theft (18 U.S.C. § 1028(a)(7)). Spitler pleaded guilty; Auernheimer went to trial in November 2012 in the District of New Jersey and was convicted on both counts. He was sentenced in March 2013 to 41 months in federal prison plus three years of supervised release and approximately $73,000 in restitution to AT&T²⁸.

The 2014 conviction vacatur. Auernheimer appealed; the U.S. Court of Appeals for the Third Circuit heard the appeal in 2014. On April 11, 2014, the Third Circuit vacated the conviction on venue grounds²⁹ — the court held that the indictment had been filed in the wrong federal district (New Jersey rather than Arkansas or another district where Auernheimer’s conduct or its effects could be properly venued). The vacatur was not a finding that the conduct was lawful; the underlying CFAA-and-identity-theft elements were not addressed on the merits. The Third Circuit’s opinion explicitly avoided ruling on whether the conduct constituted unauthorized access; the panel addressed only the venue question. Auernheimer was released from federal custody after approximately 13 months served. The DoJ did not re-indict in a properly-venued district.

Why the legal case matters historically. The Auernheimer case is the canonical example of the configuration this volume’s §1.1 callout describes: technically-constructive conduct (the AT&T flaw was real; the disclosure prompted AT&T to patch) producing federal felony conviction (41-month sentence) and 13 months actual federal-prison time, even though the conviction was eventually vacated on venue grounds (improper district) unrelated to the conduct itself. The case is widely cited in the practitioner literature as the cautionary trajectory for the “I hacked it to prove it” public-disclosure posture; the §5.3 Alex composite is the lower-key civil-version of the same pattern, and Auernheimer is the high-key criminal-version. The case also produced substantial EFF-mediated amicus participation; the EFF’s 2013 amicus brief at the Third Circuit is the canonical practitioner-community legal-argument-summary of the case³⁰.

The post-2014 trajectory complication. Auernheimer’s post-2014 personal trajectory has been documented in mainstream press and has become, in the years since 2014, a substantial culture-war touchpoint. The trajectory has involved publicly-stated affiliations and positions on the political far-right that are distinct from his pre-2014 grey-hat-researcher profile; mainstream press coverage has documented these positions and Auernheimer himself has publicly affirmed them³¹. The post-2014 trajectory is not the load-bearing relevant fact for this volume’s purposes — the AT&T legal case is what makes Auernheimer canonical in the grey-hat literature — but it is documented and the literature acknowledges the complication. The practitioner-community treatment in 2026 is to cite the AT&T case as the canonical grey-hat-prosecution example while explicitly distancing from Auernheimer’s post-2014 positions; this volume follows that convention. The complication is flagged not because it changes the legal-historical analysis of the AT&T case but because honesty about the figure’s later trajectory is part of the engineer-grade treatment.

Why the case matters as a historical anchor. The Auernheimer case sits in the canonical citation pattern for grey-hat-prosecution cases alongside Aaron Swartz (whose 2011 JSTOR case and 2013 suicide produced a substantial counter-CFAA reform conversation that has continued through the 2022 DoJ policy update⁴), Andrew Bustamante / Hector Monsegur / Sabu (LulzSec, prosecuted 2011 with subsequent cooperation), Marcus Hutchins (Vol 6 §7.5, prosecuted 2017 on unrelated black-hat-era conduct), and several other case-law-shaping figures. The Auernheimer case specifically illustrates how unauthorized access plus public disclosure can produce federal felony exposure even when the underlying conduct’s harm to the affected party is modest; the AT&T data extraction did not produce documented identity-theft outcomes or substantial customer harm, but the conviction was for the access and the identity-theft elements regardless.

7.5 Tavis Ormandy and Google Project Zero — the institutional-pressure case

Project Zero, the Google security-research team announced July 15, 2014 by Chris Evans on the Google Security Blog⁸, occupies a contested position in the white-hat / grey-hat literature. The team is technically white-hat by employment construction — Project Zero researchers are Google employees, operating under Google’s broad “vulnerability research” mandate, with formal authorization to research any commercial software they choose. Yet the team’s 90-day-deadline disclosure policy creates structural pressure on vendors that practitioners often call “grey-aligned” in tactical effect — the deadline mechanism produces vendor engagement that no purely-coordinated-disclosure framework had previously achieved, and the team’s willingness to publish technical detail after the deadline regardless of vendor wishes is closer to the full-disclosure norm than to the responsible-disclosure norm.

Tavis Ormandy is the canonical Project Zero researcher and the figure whose individual track record most clearly illustrates the institutional-pressure case. Ormandy joined Google before Project Zero’s formal founding (he was at Google from approximately 2009); he was a founding-team member of Project Zero in 2014 and remained at Google through Project Zero’s first eleven years. Ormandy left Google on October 10, 2025 after 16 years, transitioning to independent vulnerability research; he is based in the San Francisco Bay Area in 2026 and continues to publish vulnerability disclosures (his TrendMicro AV critiques in early 2026 are the post-Google continuation of the antivirus-research lineage he established at Project Zero). His career disclosure record is substantial — hundreds of CVEs across two decades, ranging across operating-system vulnerabilities (Windows, macOS, Linux), antivirus vulnerabilities (a particular Ormandy specialty; he has published canonical critiques of every major antivirus product), web-browser vulnerabilities, and various other categories³².

Ormandy’s posture on the disclosure-norm question has been consistently advocacy-for-coordinated-disclosure-with-deadline; his public writing argues that the 90-day-deadline mechanism is what makes coordinated disclosure actually work, and that frameworks without a fixed deadline functionally become “give us forever to fix it” arrangements that don’t produce timely patches. The position is contested in the broader practitioner community — some researchers argue for longer deadlines, some for shorter, some for case-by-case treatment — but Ormandy’s articulation has been the canonical statement of the deadline-mechanism-as-load-bearing position.

Why the case matters historically. Project Zero is the canonical example of the institutional-formalization of the coordinated-disclosure-with-deadline framework. The team’s employed-and-authorized status places it technically on the white-hat side of Axis 1, but the team’s disclosure practice — fixed 90-day deadline, publication regardless of vendor wishes, willingness to use the public-disclosure threat as engagement-leverage — is the most-aggressively-grey-aligned tactical posture in any white-hat-institutional configuration. The team’s structural innovation is the deadline mechanism; the deadline is what converted the grey-hat-as-public-disclosure-stunt configuration of the late 1990s into the modern institutional pattern. Tavis Ormandy’s individual track record is the proof-of-concept that the configuration scales to a working-researcher career — and his October 2025 departure from Google to independent research is the proof-of-concept that the senior-researcher can carry the same disclosure-practice out of the institutional framework once the deadline-mechanism is established as community-norm.

7.6 The figures roster

Figure	Era	Canonical contribution	Position on grey-white axis	Why it matters
L0pht Heavy Industries	1992–2000 (collective era); 2000+ (alumni careers)	May 19, 1998 Senate testimony; L0phtCrack; collective grey-hat-research workspace; @stake commercialization	Canonical grey-hat collective; alumni define the grey-to-white conversion pathway	Institutional inflection point; the lineage from late-1990s grey-hat through @stake and Symantec to modern Veracode / IBM / CISA / Stripe / Twitter / Google careers
Bunnie Huang	2002–present	Hacking the Xbox (No Starch 2003 after Wiley suppression); Chumby; Novena open-hardware laptop; Shenzhen-electronics writing; ongoing silicon-level research	Cleanest grey-hat-by-philosophy exemplar	Vendor-legal-pressure case (Wiley suppression); principled long-form public-good disclosure work; open-hardware lineage
Mark Dowd	2000s–present	Art of Software Security Assessment (Addison-Wesley 2006); Azimuth Security co-founder; deep technical vulnerability research	Edge case — closer to white than grey, but firm-level posture contested	Technical-vulnerability-research career arc; the grey-hat-talent-into-commercial-firm-leadership trajectory
Andrew Auernheimer (“weev”)	2010–2014 (AT&T case era); post-2014 complicated	AT&T iPad email-harvest 2010; CFAA conviction 2012; conviction vacated on venue grounds Apr 11 2014; ~13 months federal-prison time served	Canonical cautionary case — technically-constructive conduct producing federal felony conviction	The “I hacked it to prove it” public-disclosure-posture risk; the post-2014 personal trajectory is a documented complication
Tavis Ormandy / Project Zero	2014–Oct 2025 (Project Zero era; Ormandy at Google ~2009–2025; independent researcher from October 10, 2025)	Hundreds of CVEs; antivirus-and-OS vulnerability research; institutionalization of 90-day-deadline coordinated disclosure	White-hat by employment until Oct 2025; now independent grey-aligned-in-tactical-effect via the disclosure-deadline mechanism he helped establish	Project Zero is the institutional formalization of the disclosure-deadline framework; the deadline is the structural innovation that converted grey-hat-as-public-disclosure-stunt to institutional pattern; Ormandy’s October 2025 departure from Google illustrates the senior-researcher carrying the disclosure-practice into independence after the institutional pattern is established

Table 8.5 — The famous-figures roster in shorthand. Each entry is documented in public record (court filings, vendor-disclosure timelines, conference-talk archives, peer-reviewed publications, established journalism); the in-prose treatment above carries the citations. The selection is not exhaustive — many other figures (Joanna Rutkowska of Invisible Things Lab; Justin Schuh; Charlie Miller pre-2009 and pre-Twitter; many of the Project Zero alumni; Phil Lapsley of Exploding the Phone as a phreaking-historian alternative; Dragos Ruiu of CanSecWest as a community-architect alternative) belong in a longer roster. The five chosen here cover the canonical grey-hat collective (L0pht), the grey-hat-by-philosophy exemplar (Huang), the technical-vulnerability-research edge case (Dowd), the cautionary prosecution case (Auernheimer), and the institutional-formalization case (Ormandy / Project Zero). Weev’s post-2014 trajectory is flagged in §7.4 as a documented complication rather than the load-bearing fact.

---

8. Callouts and cross-references

This section makes the volume’s load-bearing callouts and cross-references explicit, including the mandatory legal-line callout that every grey-hat-content discussion carries.

8.1 The mandatory legal-line callout

The line — load-bearing legal callout, mandatory for grey-hat content. Grey-hat conduct is unauthorized access under the CFAA and equivalent statutes regardless of the actor’s intent. The statute’s “without authorization” prong does not contain an intent carve-out for benevolent research; Van Buren (2021) narrowed the parallel “exceeds authorized access” prong but left the “without authorization” prong intact; the DoJ’s May 19, 2022 policy update provides prosecutorial discretion for good-faith security research, not legal immunity. Good intentions are not a legal defense; only prosecutorial discretion (federal and state, U.S. and international), the disclosure-as-mitigation framing at sentencing, and post-engagement disclosure quality actually shape outcomes. Civil liability under CFAA § 1030(g) is uncapped and not bound by federal-DoJ policy — the affected organization retains the right to sue regardless of whether the DoJ prosecutes. State law is parallel to federal law and is undermapped in the practitioner literature. International equivalents (UK Computer Misuse Act 1990; Budapest Convention 2001; EU member-state implementations; Asia-Pacific equivalents) track the same structural pattern. The full legal framing is in Vol 19 (the legal line and ethics) §2 (CFAA), §3 (Van Buren), §4 (international scene), §6 (good-faith research and the 2022 policy), §7 (civil liability), §8 (state-law parallels). This volume points at the legal frame from outside; Vol 19 is inside it. Every grey-hat-content discussion in this series carries this callout in some form. It is the single load-bearing rule of the hat.

8.2 The look-here cross-reference callout

Where to read next. For the white-hat treatment that establishes the authorized end of Axis 1 — the SOW / scope / ROE / GOJL paperwork stack the grey hat lacks, the certification ladder, the career synthesis — see Vol 6. For the black-hat treatment that establishes the unauthorized-malicious end of Axis 1 — the criminal-economy structure, the named figures, the OFAC enforcement layer — see Vol 7. For the broader career synthesis across all the hat colors, Vol 18 (Careers) walks the consultancy-vs-in-house-vs-government-vs-bug-bounty-vs-independent decision in full, with compensation data, geography effects, and the credential-vs-portfolio question treated across all the hats. For the full legal framing — CFAA statutory walkthrough, Van Buren analysis, the authorization-in-practice details, the international scene including Computer Misuse Act 1990 and Budapest Convention, the 2022 DoJ policy treatment, civil liability under § 1030(g), state-law parallels, the EFF Coders’ Rights Project context, and the ethics literature — Vol 19 (The legal line and ethics) is the canonical reference. The historical context — the L0pht / Phrack / disclosure-wars lineage that this volume’s §2 and §7.1 builds on — is in Vol 3 §6 and Vol 4 §3.

8.3 Cross-references to other hat volumes

The grey-hat treatment occupies the middle position on Axis 1 (Vol 5 §6.1); the bracketing positions and the engagement-role hats are treated in:

• Vol 6 (White hat) — the authorized end of Axis 1; the SOW / scope / ROE / GOJL paperwork stack that converts grey-hat-equivalent technical work to white-hat work; the career synthesis. Vol 6 §1 carries the authorization-as-load-bearing-concept treatment that this volume’s §1 and §2 build on.
• Vol 7 (Black hat) — the unauthorized-malicious end of Axis 1; the criminal economy, the named figures, the OFAC enforcement layer. Vol 7 §1.2’s catalog of malicious-or-self-interested motives is what the grey-hat “without malice” position is not; this volume’s §1.3 walks the constructive-motive catalog in parallel.
• Vol 9 (Green hat) — the newcomer / on-ramp. The transition from sanctioned-learning-environment to engagement-realistic work is where the white-hat hat is first put on; the grey-hat-as-first-public-research-step pathway is treated from the green-hat side in Vol 9 §4 when authored.
• Vol 10 (Blue hat — defender) — the defender’s response to the adversary the §3 toolchain section describes. The grey-hat researcher’s vulnerability-disclosure work feeds the blue-hat defensive posture; the relationship is genuinely cooperative even when the disclosure-pathway is contested.
• Vol 11 (Red hat — adversary emulation) — sanctioned adversary emulation that uses some of the same capabilities. The red-team-engagement structure is structurally similar to the grey-hat-research workflow except for the authorization stack; the engagement scope is the discriminator.
• Vol 12 (Purple hat — collaborative integration) — the collaborative integration role. The grey-hat-to-coordinated-disclosure pathway is, structurally, the most external version of the purple-team-as-collaborative-improvement framing; both produce iterative security improvement through researcher-and-vendor cooperation.

8.4 Cross-references to the historical and meta volumes

• Vol 3 §6 (The zines and the groups — Phrack, 2600, LoD, MoD, L0pht) — the canonical historical treatment of the late-1980s and 1990s grey-hat-collective and full-disclosure culture; this volume’s §2.1 (L0pht inflection point) and §7.1 (L0pht profile) build on the Vol 3 material.
• Vol 4 §3 (The exploit market — full disclosure vs. coordinated disclosure vs. broker) — the canonical treatment of the disclosure-wars history that this volume’s §2.2 (full-disclosure debate as term’s birth context) and §4.2 (the four disclosure options) build on.
• Vol 4 §5 (The bug-bounty economy) — the bug-bounty platform history through HackerOne (2012), Bugcrowd (2011/12), Synack (2013), the DoJ 2022 CFAA safe-harbor policy revision. The bug-bounty career mode of §6 lives inside that platform history.
• Vol 5 §6 (The two-axis problem) — the load-bearing axis-mapping that this volume’s §1 (grey-hat positioning) builds on.
• Vol 5 §8 (The master taxonomy diagram) — the centerpiece visual that every later volume cross-references; this volume’s §3 (tools-of-the-trade) restatement of “the discriminator is authorization, not gear” derives from the diagram’s structural argument.
• Vol 6 §1 (Definition and boundary) — the authorization-as-load-bearing-concept treatment; this volume’s §1 walks the grey-hat case as the position without the Vol 6 §1 paperwork stack.
• Vol 6 §7.5 (Marcus Hutchins) — the canonical case study in white-hat-researcher facing prosecution for unrelated black-hat-era conduct; cross-referenced for the legal-trajectory illustration.
• Vol 7 §1 (Definition and boundary) — the malicious-or-self-interested motive catalog that this volume’s §1.3 (constructive-motive catalog) parallels.

8.5 Cross-references to the Hack Tools deep dives

The §3 toolchain section linked the per-tool engineering treatments. The canonical cross-references where the grey-hat use case is structurally identical to the white-hat use case in technique, but legally identical to the black-hat use case in authorization status:

• HackRF One deep dive — wideband SDR (1 MHz – 6 GHz). The grey-hat RF-research lineage is the foundational research literature for sub-GHz protocol research; the use case is identical technically to the white-hat engagement, differs in authorization, and overlaps with the black-hat use case in the active-replay edge cases.
• Flipper Zero deep dive — integrated sub-GHz / RFID / NFC / IR handheld. The grey-hat use case adds the “is this badge cryptographically clonable?” demonstration pattern (DEF CON RFID Hacking Village canonical content), the consumer-RF protocol reverse-engineering work, and the broader public-RF research.
• WiFi Pineapple deep dive — purpose-built Wi-Fi-auditing platform. The grey-hat use case is the most legally hazardous of the RF tier — Wi-Fi probing against networks the researcher doesn’t own implicates wiretap-statute exposure that the 2010 Google Wi-Fi precedent left undermapped. The Pineapple deep dive §1 explicitly flags this as posture-sensitive.
• Proxmark3 RDV4 directory — lab-grade RFID/NFC research. The grey-hat use case is the higher-sophistication credential-research work against MIFARE Classic, MIFARE DESFire, HID Prox, iClass, and proprietary credential ecosystems.
• ESP32 Marauder Firmware deep dive — open-source Wi-Fi/BLE pentest firmware. The grey-hat use case is identical structurally to the Pineapple use case at lower cost; the legal hazard is identical.
• OpenSourceSDRLab PortaRF directory — the HackRF-class handheld SDR. The grey-hat RF-research use case overlaps with the HackRF One use case; the handheld form factor adds some operational discretion for in-field research.

8.6 Cheatsheet bullets — Vol 20 candidates

The following one-liners are the load-bearing rules of the grey-hat treatment, destined for Vol 20’s laminate-ready synthesis:

• Grey-hat operates without authorization, but without malice. The middle position on Axis 1 — the actor who breaks in to prove it was broken, then discloses.
• The CFAA does not have an intent carve-out for benevolent research. The “without authorization” prong catches the grey-hat actor at the same statutory level it catches the black-hat actor. Good intentions are not a legal defense.
• What shapes outcomes is the three-part stack: prosecutorial discretion, civil liability, and state law. The 2022 DoJ policy provides federal-level discretion, not immunity. Civil liability under § 1030(g) is uncapped and unbound by federal policy. State law is parallel and undermapped.
• Technical work is identical to authorized work; legal exposure is identical to malicious work. The discriminator is intent and post-engagement disclosure; neither is a legal defense.
• The disclosure decision point is the structural feature of grey-hat methodology. Four options: coordinated disclosure (canonical), full disclosure (Bugtraq-lineage), sale to broker (commercial pathway, contested at the sovereign-customer tier), sit on it (long-tail default).
• The 90-day Project Zero norm is the modern coordinated-disclosure standard. Fixed deadline, public disclosure regardless of patch status, 14-day grace period for imminent patches. The deadline mechanism is what makes the framework actually work.
• Bug-bounty programs are the grey-to-white conversion infrastructure. Platform scope + safe-harbor language converts unauthorized research into authorized work; the institutional pathway is the modal 2026 conversion mechanism.
• The portfolio is the disclosure track record. CVEs, conference talks, and published research are the load-bearing signals in the offensive-security hiring market. The certs are the floor; the disclosure history is the differentiator.
• L0pht is the canonical grey-hat collective. May 19, 1998 Senate testimony — Brian Oblivion, Kingpin, Mudge, Space Rogue, Stefan Von Neumann, John Tan, Weld Pond. The alumni’s subsequent careers are the canonical conversion-pathway proof-of-concept.
• The Auernheimer case is the canonical cautionary trajectory. Technically-constructive conduct producing federal felony conviction and 13 months federal-prison time, even with the conviction eventually vacated on venue grounds.

---

9. Resources

The footnoted bibliography for this volume. Sources organized by category for easier scanning.

9.1 Statutory and primary legal sources

9.2 L0pht and the historical grey-hat lineage

9.3 Disclosure-norm and coordinated-disclosure framework

9.4 Bug-bounty platforms and the conversion infrastructure

9.5 Famous figures — primary sources for §7

9.6 Practitioner-blog and podcast circuit for grey-to-white career arcs

A short list of the practitioner-blog and podcast circuit relevant to grey-hat work and the grey-to-white conversion pathway:

• Risky Business (Patrick Gray and friends): https://risky.biz/ — weekly podcast; substantial coverage of bug-bounty platforms, vulnerability disclosure, and the working-researcher career arc. The host’s “Risky Biz News” segment surfaces grey-hat-disclosure cases regularly.
• Darknet Diaries (Jack Rhysider): https://darknetdiaries.com/ — narrative-format podcast; covers individual security stories and incidents at depth. The “Hacker Stories” arc (multiple episodes) profiles grey-to-white career arcs of canonical figures.
• HackerOne, Bugcrowd, Intigriti, YesWeHack blog content with researcher interviews, disclosure case studies, and program updates: https://www.hackerone.com/blog, https://www.bugcrowd.com/blog/, https://blog.intigriti.com/, https://blog.yeswehack.com/.
• Krebs on Security (Brian Krebs): https://krebsonsecurity.com/ — daily security journalism with substantial coverage of grey-hat-disclosure cases and the legal-line conversations.
• PortSwigger Research blog (the Burp Suite team): https://portswigger.net/research — high-quality web-application-security research; the Burp Suite team’s published research is the canonical grey-hat-edge-of-bug-bounty case study in many of its disclosures.
• Project Zero blog (Google): https://googleprojectzero.blogspot.com/ — the canonical institutional-formalization-of-coordinated-disclosure-with-deadline blog. Project Zero’s own write-ups of researched vulnerabilities are the canonical disclosure-as-research-product reference.
• The CyberWire (cybersecurity news): https://thecyberwire.com/ — daily podcast and newsletter; substantial coverage of disclosure cases and the legal-line conversations.
• SANS Internet Storm Center (ISC): https://isc.sans.edu/ — daily handler diaries with operational analysis. Some of the ISC handlers (Dr. Johannes Ullrich, Renato Marinho, others) have substantial grey-to-white career-arc track records.

9.7 Industry-reference documents

• CERT/CC Coordinated Vulnerability Disclosure: https://vuls.cert.org/confluence/display/CVD/. The canonical multi-stakeholder coordinated-disclosure framework documentation. ISO/IEC 29147:2018 (“Information technology — Security techniques — Vulnerability disclosure”) is the parallel international-standards-track framework.
• MITRE CVE program: https://www.cve.org/. The canonical reference for CVE identifier assignment, the CNA program (CVE Numbering Authorities), and the broader vulnerability-record infrastructure.
• NVD — National Vulnerability Database: https://nvd.nist.gov/. The canonical reference for vulnerability records as they appear in U.S. federal-government use.
• Disclose.io safe-harbor template: https://disclose.io/. The canonical reference for standardized safe-harbor language patterns the industry has converged on; the project maintains a directory of organizations with disclose.io-compatible disclosure programs.
• CISA Known Exploited Vulnerabilities (KEV) catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog. The canonical reference for actively-exploited vulnerabilities; relevant to grey-hat disclosure decisions where the vulnerability is already being exploited in the wild.
• EFF Coders’ Rights Project: https://www.eff.org/issues/coders. The canonical legal-defense resource for researchers facing vendor pressure, prosecution, or civil litigation.

9.8 Books — context and historical reference

• Cory Doctorow, “Information Doesn’t Want to Be Free: Laws for the Internet Age,” (McSweeney’s, 2014). The canonical popular-press treatment of the disclosure-norm debate and the public-good case for security research. ISBN 978-1940450285.
• Andrew “bunnie” Huang, Hacking the Xbox: An Introduction to Reverse Engineering (No Starch Press, 2003). The Xbox-research-with-suppression-story case; cited above as ²³.
• Mark Dowd, John McDonald, Justin Schuh, The Art of Software Security Assessment (Addison-Wesley, 2006). The canonical reference for modern vulnerability-research practice; cited above as ²⁵.
• Phil Lapsley, Exploding the Phone: The Untold Story of the Teenagers and Outlaws Who Hacked Ma Bell (Grove Press, 2013). The canonical history of the phreaking era — the proto-grey-hat lineage of Vol 2 §3. ISBN 978-0802120618.
• Andy Greenberg, This Machine Kills Secrets: How WikiLeakers, Cypherpunks, and Hacktivists Aim to Free the World’s Information (Dutton, 2012). The canonical mainstream-press treatment of the public-disclosure-as-political-action lineage adjacent to the grey-hat category.
• Steven Levy, Hackers: Heroes of the Computer Revolution (Doubleday, 1984; updated 25th-anniversary edition 2010). The canonical history of the hacker ethic and the proto-grey-hat-by-philosophy lineage; cited extensively in Vol 2. ISBN 978-1449388393 (2010 edition).

---

End of Vol 8. The next volume in the per-hat sequence is Vol 9 (Green hat) — the newcomer / on-ramp configuration, where the transition from sanctioned-learning environments to engagement-realistic work is treated.

Footnotes

1. Computer Fraud and Abuse Act, 18 U.S.C. § 1030. Current text via Cornell Legal Information Institute: https://www.law.cornell.edu/uscode/text/18/1030. Full statutory walkthrough in Vol 19 §2. The 1986 enactment history and amendments are covered in Vol 3 §4; the Van Buren narrowing is in Vol 4 §1. ↩

2. Van Buren v. United States, 593 U.S. 374 (2021). Cornell LII: https://www.law.cornell.edu/supct/cert/19-783. Vol 4 §1 walked the decision; Vol 6 §1 treated the implication for white-hat work; this volume’s §1.1 treats the implication for grey-hat work. ↩

3. U.S. Department of Justice, “Department of Justice Announces New Policy for Charging Cases under the Computer Fraud and Abuse Act,” May 19, 2022. Press release: https://www.justice.gov/opa/pr/department-justice-announces-new-policy-charging-cases-under-computer-fraud-and-abuse-act. The policy clarified that “good-faith security research” should not be prosecuted under CFAA; Vol 4 §5.3 walked this in detail. The policy is prosecutorial discretion, not statutory immunity, and applies only to federal DoJ-led prosecutions; state-level prosecutors and private civil plaintiffs are not bound. ↩ ↩² ↩³

4. Aaron Swartz’s 2011 indictment in the District of Massachusetts arose from his unauthorized downloading of approximately 4.8 million academic articles from JSTOR through a script running on MIT’s network. The criminal charges (CFAA, wire fraud — eventually 13 felony counts) were pending at the time of Swartz’s January 11, 2013 suicide. JSTOR’s prior civil dispute with Swartz had been settled before the criminal indictment; the criminal prosecution was pursued by the U.S. Attorney’s Office independently. The case produced substantial counter-CFAA-reform conversation (the Aaron’s Law proposals introduced in Congress 2013 and following; none enacted in original form). The 2022 DoJ policy update was, in part, downstream of the post-Swartz advocacy. Documentation: Lessig “Prosecutor as Bully,” January 12, 2013 (http://lessig.tumblr.com/post/40347463044/prosecutor-as-bully); MIT’s Hal Abelson-led report on MIT’s role, June 2013. ↩ ↩²

5. The UK CyberUp Campaign is a multi-year coalition advocating for an amendment to the UK Computer Misuse Act 1990 introducing a “lawful authority” defense for good-faith security research. Coalition members have included NCC Group, Context, F-Secure UK, and others. Campaign documentation at https://www.cyberupcampaign.com/. As of early 2026, no statutory amendment has been enacted; the campaign continues. ↩

6. U.S. Senate Committee on Governmental Affairs hearing, “Weak Computer Security in Government: Is the Public at Risk?”, May 19, 1998. The seven L0pht testifiers — Brian Oblivion, Kingpin (Joe Grand), Mudge (Peiter Zatko), Space Rogue (Cris Thomas), Stefan Von Neumann, John Tan, and Weld Pond (Chris Wysopal) — testified that they could “take down the Internet in 30 minutes” using publicly-known BGP vulnerabilities. The hearing transcript is at https://www.govinfo.gov/. The same footnote text is used in Vol 3 §6.5 and Vol 5 §5.3 for consistency across the series. ↩ ↩² ↩³

7. Scott Culp, “It’s Time to End Information Anarchy,” Microsoft Security Response Center, October 17, 2001. The original essay is archived at https://web.archive.org/web/20011029090524/http://www.microsoft.com/technet/columns/security/noarch.asp; the canonical practitioner-community response is documented in Bruce Schneier’s Crypto-Gram November 15, 2001 (https://www.schneier.com/crypto-gram/archives/2001/1115.html#1) and in numerous Bugtraq archive threads. The essay catalyzed the multi-year debate that produced the modern coordinated-disclosure norm. ↩

8. Google Project Zero was announced July 15, 2014, on the Google Security Blog by Chris Evans. The original team included Tavis Ormandy, Ben Hawkes, George Hotz (briefly), Ian Beer, Matt Tait, and several others. The team’s mission was vulnerability research with public disclosure on a fixed timeline. Hawkes succeeded Evans as team lead; the team has continued under Google Threat Analysis Group’s umbrella. The same footnote text is used in Vol 4 §3.2 for consistency. ↩ ↩²

9. Google Project Zero’s vulnerability-disclosure policy is documented at https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-policy.html. The 90-day disclosure window has been Project Zero’s default since 2014, with a 14-day grace period if a patch is imminent. Project Zero has applied the policy uniformly, including to Google’s own products. The policy text and the various revision-and-justification posts on the Project Zero blog are the canonical primary source. ↩ ↩² ↩³

10. Mudge / Peiter Zatko has publicly rejected the “grey hat” label in multiple interviews; the modal articulation is that L0pht’s stance was straightforward security research with constructive disclosure, and the “grey” framing implies a kind of fence-sitting that practitioners do not recognize in their own work. The position is widely shared in the L0pht-alumni population; multiple interviews on Risky Business, Darknet Diaries, and various conference-talk Q&A sessions document the rejection. The volume retains the term for taxonomic clarity while acknowledging the practitioner-community position. ↩

11. CERT/CC, Carnegie Mellon University Software Engineering Institute, Coordinated Vulnerability Disclosure documentation: https://vuls.cert.org/confluence/display/CVD/. The CERT/CC framework is the canonical multi-stakeholder coordinated-disclosure pathway for vulnerabilities affecting multiple vendors. ISO/IEC 29147:2018 (“Information technology — Security techniques — Vulnerability disclosure”) is the parallel international-standards-track framework. ↩ ↩²

12. Zerodium’s published price list (https://zerodium.com/program.html) lists payouts for various vulnerability classes. The most-cited single line item is the $2.5 million payout for a full-chain Android remote-code-execution exploit with no user interaction; the iOS equivalent is at $2.0 million. The list has been periodically revised upward. Zerodium operates substantially in the open about its prices but not about its customer base. The same footnote text is referenced in Vol 4 §3.3. ↩ ↩²

13. CISA Coordinated Vulnerability Disclosure (CVD) program documentation: https://www.cisa.gov/coordinated-vulnerability-disclosure-process. CISA’s CVD service is the canonical government-coordinator version for vulnerabilities affecting U.S. critical infrastructure or government systems. ↩

14. The bug-bounty platform history through Netscape 1995 → Mozilla 2004 → Google Chromium 2010 → Facebook 2011 → HackerOne 2012 → Bugcrowd 2011/12 → Synack 2013 → the DoJ 2022 CFAA safe-harbor policy revision is walked in detail in Vol 4 §5. HackerOne’s founding-team identification (Alex Rice, Merijn Terheggen, Michiel Prins, Jobert Abma) is documented at https://www.hackerone.com/about; Bugcrowd’s founding by Casey Ellis is documented at https://www.bugcrowd.com/about/. ↩

15. HackerOne’s canonical safe-harbor language template is documented at https://www.hackerone.com/disclosure-guidelines and in the per-program “Policy” sections of individual bug-bounty programs. The Bugcrowd parallel is documented at https://www.bugcrowd.com/legal/disclosure/. The Disclose.io project (https://disclose.io/) is the canonical reference for the standardized safe-harbor language patterns the industry has converged on. ↩

16. The Electronic Frontier Foundation’s Coders’ Rights Project provides legal support to security researchers facing vendor pressure, prosecution, or civil litigation. Documentation at https://www.eff.org/issues/coders. The project’s notable cases include the Dmitri Sklyarov / DMCA 2001 prosecution defense; the David Maynor / Mike Lynn / Cisco IOS 2005 vendor-pressure response; the Andrew Auernheimer 2013 amicus participation; and many others. ↩

17. L0phtCrack was originally released by Mudge in 1997 as a Windows password-cracking tool that exploited weaknesses in the LAN Manager (LANMAN) hash. The tool was commercialized by L0pht / @stake and remained in use through multiple ownership transitions (Symantec 2004 → discontinued for several years → revived by L0pht alumni under the L0phtCrack name 2009; subsequent ownership changes through the 2010s). The tool’s release-and-disclosure framing established a template that several subsequent grey-hat-collective tools followed. ↩

18. Peiter Zatko’s career trajectory: L0pht / @stake (1990s–2000); BBN Technologies (2000–2010); DARPA (2010–2013, leading the Cyber Fast Track program); Google (2013–2015); Stripe (head of security, 2015–2020); Twitter (head of security, 2020–2022); CISA (Senior Technical Advisor, September 2023–); DARPA (Chief Information Officer, August 7, 2024 onward — primary current role as of early 2026). The 2022 Twitter departure produced a contested whistleblower disclosure. The CISA advisory role began September 2023; the DARPA CIO appointment August 2024 is documented in DARPA press materials. ↩

19. Chris Wysopal / Weld Pond co-founded Veracode in 2006 with Christien Rioux. The company is documented at https://www.veracode.com/; the corporate history through Computer Associates (2017 acquisition) to current Vista Equity Partners ownership is documented in press releases and SEC filings. Wysopal remains CTO in 2026. ↩

20. Joe Grand’s 2023 RoboForm cryptocurrency-recovery work is documented in his published YouTube account of the recovery process and in subsequent press coverage. The recovery (approximately $3M / 30 BTC at the time of recovery) was completed November 15, 2023; the method involved reverse-engineering RoboForm’s password generator to exploit its seed-from-system-time flaw, reconstructing the password. The case is documented at Grand’s YouTube channel and in CoinDesk / Wired coverage from 2023. ↩

21. Cris Thomas / Space Rogue’s career trajectory through Tenable Network Security to IBM X-Force is documented in his published bio and LinkedIn profile. Current role at IBM as Global Strategy Lead is documented in 2024–2026 conference-speaker bios and IBM press materials. ↩

22. Andrew Huang, “Keeping Secrets in Hardware: the Microsoft Xbox Case Study,” MIT AI Lab Memo No. AIM-2002-008, May 2002. The thesis is available at https://dspace.mit.edu/handle/1721.1/3651. ↩

23. Andrew “bunnie” Huang, Hacking the Xbox: An Introduction to Reverse Engineering (No Starch Press, 2003). ISBN 978-1593270292. After the original publisher Wiley killed the book under Microsoft pressure, No Starch picked it up. The book remains in print in 2026; substantial portions are available online at https://www.nostarch.com/xbox.htm. Huang’s blog at https://www.bunniestudios.com/ is the canonical ongoing primary source for his research. ↩ ↩²

24. The full publication sequence: Wiley pulled commitment in early 2003 under Microsoft DMCA §1201 pressure; Huang self-published under the Xenatera/Xeve label, May 27, 2003 (ISBN 978-0974057507); No Starch Press subsequently picked up the book for wider distribution (ISBN 978-1593270292). Documented in Huang’s own writing about the publication history, in Wired coverage from 2003, and in subsequent retrospectives. The episode is the canonical example of vendor-side legal pressure short of litigation that nonetheless produced substantial researcher cost; Huang’s self-publishing response is the grey-hat-by-philosophy gesture that distinguishes the episode from simple suppression. No Starch Press’s decision to distribute was framed at the time as a deliberate stance for security-research-as-protected-speech. ↩

25. Mark Dowd, John McDonald, Justin Schuh, The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities (Addison-Wesley, 2006). ISBN 978-0321444424. The book is the canonical reference work for the modern vulnerability-research practice; subsequent reprints and digital editions are available. ↩ ↩²

26. Reuters investigative reporting in 2021 attributed the 2016 FBI iPhone unlock (the San Bernardino iPhone incident; Apple v. FBI legal proceeding context) to Azimuth Security. The Reuters article, “The FBI used the Israeli firm Cellebrite to unlock San Bernardino shooter’s iPhone? No, an obscure Australian firm did it,” April 14, 2021 (subsequent corrections noted) is the canonical primary-source reference; the article is at https://www.reuters.com/article/idUSKBN2C107K and similar URLs. ↩

27. The 2010 AT&T iPad email-harvest incident is documented in extensive contemporaneous press coverage. Gawker’s June 9, 2010 publication of the story is the canonical first-press-coverage; The New York Times and Wired coverage followed within days. The FBI investigation and 2011 indictment is documented in the DoJ press releases and court filings. ↩

28. U.S. v. Auernheimer, sentencing March 18, 2013 in the District of New Jersey. The 41-month federal-prison sentence plus three years supervised release plus $73,000 restitution to AT&T is documented in the court filings and in Wired coverage at the time. The sentence was widely cited in the practitioner literature as an aggressive application of CFAA against a researcher whose conduct was technically constructive. ↩

29. U.S. v. Auernheimer, Third Circuit opinion April 11, 2014. The Third Circuit vacated the conviction on venue grounds — the indictment had been filed in the District of New Jersey rather than a properly-venued district. The opinion explicitly avoided ruling on the merits of whether the underlying conduct constituted unauthorized access under CFAA. The opinion is available at the Third Circuit’s published-opinions archive; the EFF coverage at https://www.eff.org/cases/us-v-auernheimer is the canonical practitioner-community summary. ↩

30. Electronic Frontier Foundation amicus brief in U.S. v. Auernheimer at the Third Circuit, 2013. The brief argued that the conduct did not constitute unauthorized access under CFAA because the AT&T server had returned the data when queried with a predictable identifier — the kind of public-facing access that the CFAA was not intended to criminalize. The brief is available at https://www.eff.org/cases/us-v-auernheimer. ↩

31. Andrew Auernheimer’s post-2014 personal trajectory has been documented in mainstream press across 2014–2026. The trajectory includes publicly-stated affiliations and positions on the political far-right that are distinct from his pre-2014 grey-hat-researcher profile. The volume acknowledges the complication as documented historical fact while treating the AT&T legal case as the load-bearing relevant fact for grey-hat-history purposes. Primary press coverage includes The Daily Beast, The Atlantic, and The Anti-Defamation League’s monitoring archive; the practitioner-community treatment is to cite the AT&T case as the canonical grey-hat-prosecution example while explicitly distancing from the post-2014 positions. ↩

32. Tavis Ormandy’s published vulnerability-disclosure record is documented in the National Vulnerability Database (NVD) via his attribution string in many of the CVE records he discovered, in the Project Zero issue tracker at https://bugs.chromium.org/p/project-zero/, and in his Twitter/X presence (handle @taviso) where he has historically published research summaries. The track record spans hundreds of CVEs across two decades. ↩