Legality of Pentesting and Vulnerability Research

So, you've been learning different pentesting techniques and tools, and you are eager to apply them in the wild. As exciting as this sounds, thou shall restrain thyself!

It's very likely that you will want to verify if websites that you normally use, like your bank's, present the vulnerabilities you've been studying. But before you decide to target third-party websites, without authorization, you should understand the legal consequences of doing so.

The specifics of what's legal or not in the cybersecurity space depends on the region you, and/or your target is physically located. However, scope of laws and regulations can be grouped in a few categories, which describe the type of activities that are generally considered to be illegal. I've extracted the following categorization from the Cyber Security Body of Knowledge, published a few months ago by UK's National Cyber Security Centre (NCSC).

Crimes Against Information Systems

Between the early 80s, and late 90s, there was very little to no regulation related to individual's behavior that seek to compromise computer infrastructure. Lawmakers from different parts of the world, like the UK Parliament, and the US Congress, responded with adoption of different laws and acts with the purpose of defining what constitutes a crime against information systems, and its corresponding penalties.

Improper Access to a System

The mere act of accessing a system without authorization can be criminalized. You don't even have to hack your way in. Even if someone left their password written on a post-it under the keyboard, doesn't mean you can use it to unlock their computer.

One scenario that may fall in this same subject, but it's still being debated if it should be considered criminal, is when an individual has approved access to a system, but they wrongfully exceed the specific scope of permissions granted to them.

Improper Interference with Data

This includes any action that inappropriately deletes, damages, deteriorates, alter or suppresses data. One clear example is ransomware, where a malicious person gains access to data on someone else's system, then encrypts said data so its owner can't access it, and demands payment to decrypt the data.

Improper Interference with Systems

This refers to actions that impact negatively the performance of an information system. An example would be to incur in a Denial of Service (DoS) attack either purposefully, or by accident. An unintentional DoS attack could be caused by using automated tools or scripts on systems that don't have adequate protection, like rate limiting, load balancing, etc.

Improper Interception of Communication

It's generally considered a crime to wrongfully intercept electronic communications. There's different ways in which this could be achieved. For example, using a device to capture data packets traveling via wireless signals, or setting up fake wireless access points in public places.

Producing Hacking Tools with Improper Intentions

Production and distribution of tools with the intention of facilitating criminal activity against information systems is also commonly considered a crime. In these cases, it's usually not so much about the tool itself and what it does, but more about the way the distributor publicizes the tool, and the language they use. This doesn't mean that it can still be challenging to distribute tools with academic or research purpose, if authorities happen to mischaracterize said purpose.

Lawfully Applying your Knowledge

It's clear that using your newly acquired hacking knowledge without proper authorization can cause you legal problems. However, it's also widely acknowledged that one of the best way of learning is through practice. There's places out there like Pentesterlab and Cybrary that use the learn by practice model, by using virtualization or similar technologies to achieve it.

Additionally, there's platforms like Bugcrowd and HackerOne, where you can register as Pentester. Their customers publish programs where they define what part of their website or application is in scope for security research, and other conditions that may apply. It's very important to adhere to the guidelines provided by each company, as not doing so could potentially qualify as cybercrime.

It's interesting to see that nowadays there's safe places for curious minds trying to responsibly apply their learning and knowledge, by partnering with companies that want to provide safer and more secure products to their users and customers. It's also a relief, when you are one of those curious minds. Happy hacking!