I’ve lately seen multiple bug bounty hunters on twitter (and other platforms) proudly exclaiming that hacking is not a crime. They are not wrong, but I think the answer needs to be a bit more nuanced. So here is my take on hacking.

Hacking is not inherently a crime, but neither is it automatically never criminal. I would compare it with lighting a fire. There are instances where it is helpful and legal (eg. lighting a campfire), but there are at least as many ways of doing it illegally (eg. burning down a building). The act of lighting a fire can be good or bad, legal or illegal, ethical or unethical. Everything depends on how you do it.

The same can be said about hacking. It can be used for good or for bad, and the risk of the current spread of “Hacking is not a crime” is that it draws a line and divides. The reality is not black or white, and we as security professionals have to help the ones not as familiar with the area to understand the difference.

With this said, I would love to change the mantra, from “Hacking is not a crime” to “Hacking can be used for good”. This way we are enforcing the positivity, while not hiding the dark side. From my point of view, the best way to gain the trust and change peoples view is to not over simplify. We need to explain, and allow people to come to their own conclusions. We just need to give them the information they need to make an informed decision, understanding that there is a grey in-between the black and the white.