Shades of Gray: The Risk of Doing Business with Hackers

Inside a smoky room, business partners exchange pleasantries across a crowded table. 

The air gets heavy. The conversation stops. A well-dressed figure steps through the door. With a hand outstretched, the stranger promises to keep them all safe from harm for another month. As long as they have the cash.

The scene above could be pulled straight from an old-fashioned mafia movie, but it’s also representative of a growing digital threat: ethically ambiguous hackers offering “protection” for a fee. 

By informing businesses of potential vulnerabilities before they’ve been exploited, gray hat hackers can appear altruistic. However, attitudes can quickly turn when informal communications devolve into demands for money. Below, we’ll explore the “many hats” hackers wear and why businesses should consider all risk factors when engaging with anonymous figures online.

Hackers wear many hats (with different goals)

Most notable cyber incidents are the work of so-called “black hat” hackers. These are criminals who are acting with malicious intent for either personal gain or ideological reasons, like nation-state actors. Behind headline-grabbing ransomware attacks and successful phishing campaigns, there’s often a hacker (or entire criminal enterprise) after a lump sum.

On the other hand, “white hat” hackers (or, “ethical hackers”) use the same skills but with permission and within the confines of the law, either for the greater good, financial reward, or individual recognition.

Businesses will work with ethical hackers and security researchers as part of legitimate bug bounty programs or to create penetration testing teams to identify vulnerabilities in their network. 

By setting up intentional bug bounty programs, businesses invite ethical hackers to investigate specific domains or applications.  Payment will depend on the severity of the discoveries ethical hackers made. As a willing participant, the business can set expectations, parameters, and engagement rules with these hackers before they initiate the bug bounty test. 

Since 2016, The Department of Defense has run a “Hack the Pentagon” program to identify weaknesses within the department’s public-facing systems.

With penetration testing, ethical hackers can simulate a cyber attack using the same tools as malicious threat actors and provide findings to help businesses prevent future breaches by threat actors.

Even the US government turns to ethical hackers. Since 2016, The Department of Defense has run a “Hack the Pentagon” program to identify weaknesses within the department’s public-facing systems. Since the program’s launch, over 2,100 vulnerabilities have been flagged for remediation by white hat hackers.

The ethical dilemma 

The world exists in shades of gray, hackers included. Black hat hackers discover a vulnerability and exploit it with malicious intent. Alternatively, with permission, white hat hackers report it to raise awareness about emerging threats. 

And in the morally ambiguous space between them, there are “gray hat” hackers. 

Many of these hackers believe that businesses should improve their cybersecurity posture, but may operate outside the confines of bug bounty programs — and the law — to find potential flaws. Like black hat hackers, they gain access to a system or network illegally and without permission. Instead of escalating their findings into a cyber attack, they may offer their findings to the targeted business. For a price.

The key difference between white hat and gray hat hackers is the use of consent and communication. Many sanctioned bug bounty programs offer clearly defined rules or even contracts for hackers to abide by, which reduces the risk of hackers sharing their findings on the dark web, escalating their discoveries into full-blown cyber attacks, and/or naming and shaming on the clear web. But even within the confines of bug bounty programs, the lines between “good” and “bad” hackers can get murky.

Morally ‘gray’ hackers in action

Project 529, a technology company that helps reduce bicycle theft, established a bug bounty program to uncover flaws in its product. One day, the company was contacted by a group of white hat hackers who reported multiple vulnerabilities. Project 529 paid the group and fixed the flaws. But things escalated quickly when the hackers returned with a list of nearly 50 additional vulnerabilities.

After reviewing the list, Project 529 disagreed that they were valid or critical issues, but nevertheless offered a lump-sum payment to the hackers. The hacker group refused the offer and demanded individual payments for each vulnerability: one was priced at $100,000 and another at $20,000. The hackers became increasingly threatening.

At this point, the CEO of Project 529 escalated concerns to Coalition, Project 529’s cyber insurance provider. Coalition Incident Response (CIR), an affiliate of Coalition, began an investigation and instructed Project 529 to cease all communications with the hacker group.

CIR determined that the group was not only illegitimate, but also using AI-generated images for its “employees.” CIR also audited Project 529’s IT infrastructure and provided recommendations to improve its overall cybersecurity posture. CIR also determined that there were no breaches, critical security issues, or exploitable vulnerabilities.

In another instance with gray hat hackers, CIR has seen “altruistic” actions, like reporting accessible data through a publicly exposed server for a small payout, escalate months later when the same gray hat hacker returned with a ransom demand for the same dataset. 

Don’t wait to hear from hackers

At the end of the day, most hackers want the same thing: money. 

The variable is the degree to which they want it, and the route they’re willing to take to get it. As seen with Project 529’s experience, benign interactions can quickly escalate to extortion attempts. Yet, for many businesses, working with white hat hackers and bug bounty programs can be fruitful for navigating risk and reducing their exposure. 

At the end of the day, most hackers want the same thing: money. 

There’s no one-size-fits-all answer to whether a business should or should not work with white or gray hat hackers to secure their systems. As with most things it’s complicated, and the legal landscape in this area is complex. However, with the right proactive steps and a skeptical attitude, businesses can reduce the risk of being a target for opportunistic hackers — in all shades of gray.

Implement managed detection & response (MDR) to catch suspicious activity 

Don’t wait to hear from an anonymous “good guy” on the web to take action. 

Many small and midsize businesses (SMBs) lack the in-house resources or skillset to monitor their entire attack surface, including hundreds or thousands of endpoints. MDR provides businesses with hands-on 24/7 monitoring and response at the first sign of suspicious activity, including alerts on high-risk vulnerabilities. 

Consider risk factors

There’s always a risk when working with unknown entities. Having robust cybersecurity measures in place before engaging with white hat hackers can help reduce the risk of unauthorized access. In addition, third-party platforms can help businesses safely establish bug-bounty programs with agreed-upon monetary rewards, clear guidelines, and terms and conditions to abide by. 

If a hacker reaches out unprompted (outside of a bug bounty program), the risk of escalation is likely higher. 

When in doubt, contact your cyber insurance provider 

As always, businesses should be cautious in digital communications. A sudden sense of urgency or unexpected changes (like an increased payment demand) are strong indicators of a scam. 

The faster a business contacts their cyber insurance provider, the better. Timely reporting of a cyber issue can be the deciding factor in whether a matter develops into a costly claim: 56% of all matters reported to Coalition were handled without any out-of-pocket payments by the policyholder.

If communications with a white hat hacker turn sour, businesses should involve their cyber insurance provider for support as soon as possible.

PREVENT MORE CYBER INCIDENTS. RESPOND FAST.

Round-The-Clock Threat Detection & Response 

See how Coalition MDR works for your business >

This blog post is designed to provide general information on the topic presented and is not intended to construe or render legal or other professional services of any kind. The views and opinions expressed as part of this blog post do not necessarily state or reflect those of Coalition. The reader is cautioned to consult independent professional advisers and formulate independent conclusions and opinions regarding the subject matter discussed herein. Coalition is not responsible for the accuracy or completeness of the contents herein and expressly disclaims any responsibility or liability based on any legal theory or in any form or amount, based upon, arising from or in connection with, for the reader’s application of any of the contents herein to any analysis or other matter, nor do the contents herein guarantee and should not be construed to guarantee any particular results or outcome. Any action you take upon the information contained herein is strictly at your own risk. Coalition and its affiliates will not be liable for any losses and damages in connection with our use or reliance upon the information. The blog post may include links to other third-party websites. These links are provided as a convenience only.

Coalition Insurance Solutions, Inc., an affiliate of Coalition, Inc., is a licensed insurance producer and surplus lines broker (Cal. license # 0L76155), acting on behalf of a number of unaffiliated insurance companies, and on an admitted basis through Coalition Insurance Company a licensed insurance underwriter (NAIC # 29530). Coalition Incident Response, Inc. dba Coalition Security, an affiliate of Coalition Inc., provides security products and services globally, including incident response and MDR services. Coalition Security does not provide insurance products and products and services may not be available in all countries and jurisdictions. Non-insurance products and services may be provided by independent third parties, and may require separate payment. Insurance coverage is subject to underwriting requirements and actual policy language. See licenses and disclaimers. Coalition is the marketing name for the global operations of affiliates of Coalition, Inc.

Copyright © 2025. All rights reserved. Coalition, Coalition Security and the Coalition logo are trademarks of Coalition, Inc. All other products and company names are the intellectual property of their respective brand owners.