Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The problem is the that would provide a legitimate cover story for black hats. "Oh I was just doing a white hat scan".


Here's the thing: black hats are always scanning you. Where I work, a fairly low-key place, we're currently being scanned on some of our ~100 Internet-facing IP addresses with a frequency of 15 requests per second. This is nothing uncommon. We get people on our guest network scanning us from the "inside" as well (they think they're inside, at least. They have a 10.x.x.x number, they're inside, right?)

Point being, if you can't hold up to a white hat scan, you're likely already hacked. Security is how you enforce your policy. But it's only white hat until data is compromised, and that's where the prosecution comes in.


That's not a justification for punishing white hats.

In the meantime, until we can make this understood, we need to make the workaround understood: if you find a security flaw in a system you don't own, and you haven't been formally hired for the specific purpose of finding that flaw, ignore it and get on with your life; it's not your problem. Going out of your way to help people in normal circumstances is noble. Going out of your way to help people who will reward you with a knife in the back is a mistake. Don't make that mistake.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: