A white hat hacker is an individual who uses hacking skills to identify security vulnerabilities in hardware, software or networks. However, unlike black hat hackers, white hat hackers respect the rule of law as it applies to hacking.
White hat hackers, also called ethical hackers, only seek vulnerabilities or exploits when they are legally permitted to do so. White hats may do their research on open source software, as well as on software or systems that they own or that they have been authorized to investigate, including products and services that operate bug bounty programs.
Unlike black or gray hat hackers, white hats disclose all the vulnerabilities they find to the company or owner who is responsible for fixing the flaws so the issues can be fixed before they are exploited by malicious actors.
Often, white hat hackers are security researchers who work independently or with other researchers, but some white hats are full-time employees with the company for which they research vulnerabilities and exploits. Independent researchers or contractors may disclose vulnerabilities separately, but some companies also have bug bounty programs through which security flaws can be disclosed for reward money.
Penetration testers, whether they work as independent contractors or as employees, are generally considered to be white hat hackers.
Many white hat hackers are former black hat hackers. The terms come from old Western movies, where heroes often wore white hats and the bad guys wore black hats.
Difference between white, black and gray hat hackers
Besides white hat, there are two other types of hackers: black hat and gray hat.
Where white hat hackers disclose all the vulnerabilities they find to the party responsible for the system -- usually, the company or vendor that makes the affected product -- a black hat hacker has no qualms about selling vulnerabilities and exploits to the highest bidder, such as a criminal organization, usually for the purpose of exploiting them. Black hat hackers are willing to break the law to discover, create and use security flaws maliciously for personal gain or to make a political statement.
Gray hat hackers fall between white and black hats on the moral spectrum. Gray hats generally consider themselves good guys who are more flexible about the rules under which they operate. For example, a gray hat hacker may be more likely than a white hat hacker to access systems without getting permission or authorization from the owners, but would be less likely than a black hat hacker to cause damage to those systems. While not typically motivated by financial gain, gray hat hackers may try to get the owners of a system they've hacked to pay them to patch or fix those systems.
The ethical practices of a gray hat hacker may also vary depending on their perception of the values of the individuals or organizations they are hacking. A gray hat might coordinate disclosure of a vulnerability with a company or government agency whose actions they support, while they might share the vulnerability with other hackers when the flaw affects organizations they don't support.
For example, when the FBI was investigating the suspect involved in the 2015 San Bernardino shooting, it was unable to unlock his iPhone. In a highly publicized back-and-forth, Apple refused to unlock the phone for the FBI, which sparked the going dark debate over encryption backdoors for law enforcement.
While Apple was still refusing to unlock the iPhone, The Washington Post reported that at least one gray hat hacker helped to disclose at least one security vulnerability in iPhones to the FBI, and the agency was then able to access the shooter's phone. In this example, a white hat hacker would have disclosed the vulnerability to Apple so the vendor could fix the issue.
White hat hacking tools and techniques
White hat hackers, especially those doing penetration testing, use the same hacking techniques as black hat hackers to uncover security vulnerabilities. Penetration testing involves gathering information about the target of the testing -- such as a network or web application, for instance -- identifying the possible entry points, trying to break in through those points, and then reporting the findings of the test.
An ethical hacker may also use strategies like emailing the staff at a company and attempting to phish for sensitive information, or even physically trying to break and enter into the systems. In these extreme cases, only the top-level employees at the company would know what was happening.
White hats may also perform a denial-of-service attack on a cloned version of a company's system, or on the system itself when the critical usage is at a minimum.
Social engineering is another hacking technique that white hat hackers use to test how secure a company really is. Social engineering attacks take advantage of human behavior to trick people into breaking security procedures or giving away sensitive information.
Some white hat hackers also use security scanners and frameworks to find known vulnerabilities.
Becoming a white hat
Some white hat hackers used to be black hat hackers who became more ethically attuned as they matured; others were caught, and then decided to take the ethical hacker path to pursue their interests without the threat of prosecution.
Undergraduate and graduate degrees in computer science, information security or mathematics are good backgrounds for white hat hackers to have, though having a genuine interest in and passion for security is the biggest asset.
People looking to become white hat hackers may also find good use for certifications like the Certified Ethical Hacker (CEH) from the EC-Council or GIAC's Security Administrator certifications, including GIAC Security Essentials Certification, GIAC Penetration Tester, the GIAC Exploit Researcher and the GIAC Advanced Penetration Tester.
A background or certifications in computer forensics can also be useful for ethical hackers.
Famous white hat hackers
There are a number of well-known white hat hackers in the industry.
Marc Maiffret is known for exposing vulnerabilities in Microsoft products, such as the Code Red worm, starting when he was a teenager. He later went on to co-found a software security company and eventually become the chief technology officer of the security company BeyondTrust.
Kevin Mitnick is another well-known white hat hacker. Formerly known as the most wanted cybercriminal in America, Mitnick was arrested in 1995 and served five years in jail for his hacking. After that brush with the law, Mitnick became a white hat hacker and now runs a security consulting firm.
Tsutomu Shimomura is the white hat hacker responsible for finally catching Mitnick. A computer scientist and physicist, Shimomura has worked for the NSA, and he assisted the FBI in the highly publicized takedown of Mitnick.
Robert 'RSnake' Hansen discusses the concerning trends in hacking.
Robert "RSnake" Hansen is also a well-known white hat hacker who co-coined the term clickjacking. He is now the CISO at OutsideIntel.
In the same vein, Dan Kaminsky became famous when he discovered a critical DNS design flaw, and he went on to become the chief scientist of the security firm White Ops.
Other big names in white hat hacking include Jeff Moss, who founded the Black Hat and DEFCON security conferences; Dr. Charlie Miller, who hacked for the NSA for five years; and Apple co-founder Steve Wozniak.
Legal issues with white hat hacking
The differences between a white hat and a black hat come down to permission and intent. A white hat doesn't hack systems without permission from the company to test its defenses, and he discloses vulnerabilities responsibly. A black hat has neither permission nor good intentions, and he generally won't disclose vulnerabilities responsibly unless there is financial or legal incentive.
However, the white hat and the black hat generally use the same tools and techniques. This can lead to complicated legal situations for ethical hackers.
For instance, in order to thoroughly test a company's security, an ethical hacker will have to try to gain access to the company's systems not just directly, but through its business partners, as well. If the company that requested penetration testing does not also get consent from its business partners, the white hat could end up illegally penetrating the business partners' systems.
Additionally, if an ethical hacker is able to access sensitive data -- such as customer data -- their duty is to report it to the company responsible for that data. This, however, does not necessarily mean the customer will be notified that their information was exposed. It also means the ethical hacker has seen personal customer data.
The legality of white hat hacking is often discussed among security professionals, and it is generally described as a gray area.