Certified Ethical Hacker (CEH v11) — Question 338

John, a security analyst working for an organization, found a critical vulnerability on the organization's LAN that allows him to view financial and personal information about the rest of the employees. Before reporting the vulnerability, he examines the information shown by the vulnerability for two days without disclosing any information to third parties or other internal employees. He does so out of curiosity about the other employees and may take advantage of this information later.
What would John be considered as?

Answer options

• A. Cybercriminal
• B. White hat
• C. Gray hat
• D. Black hat

Correct answer: C

Explanation

John's actions classify him as a Gray hat because he found a vulnerability but chose to investigate it further without authorization and with potential malicious intent. Unlike a White hat, who would report the vulnerability immediately, or a Black hat, who exploits vulnerabilities for personal gain, John's curiosity and delay in reporting place him in the Gray hat category.