"Is it illegal to test a website for vulnerability without permission from the owner?"
Or… "Is it illegal to disclose a vulnerability publicly?"
Well, the answer is YES, it's illegal most of the times and doing so could backfire even when you have good intentions.
Last year, Hungarian police arrested a 20-year-old ethical hacker accused of finding and exploiting serious vulnerabilities in Magyar Telekom, the largest Hungarian telecommunication company, who is now facing up to 8 years in prison.
According to local Hungarian media, the defender first discovered a severe vulnerability in Magyar Telekom systems in April 2018 and reported it to the company officials, who later invited him to a meeting.
Reportedly, the hacker then traveled to Budapest for the meeting, which didn't go well as he expected, and apparently, the company did not permit him to test its systems further.
However, the man continued probing Magyar Telekom networks and discovered another severe vulnerability at the beginning of May that could have allowed an attacker to access all public and retail mobile and data traffic, and monitor company's servers.
When Magyar Telekom detected an "uninvited" intrusion on their internal network, the company on same day reported the incident to the police, leading to his arrest.
The hacker is currently on trial. The Hungarian Prosecution Service is requesting a prison sentence, while the Hungarian Civil Liberties Union, a non-profit human rights watchdog, is defending the hacker, claiming that the indictment is inaccurate, incomplete and in false colors.
However, the Prosecutor's Office said "anyone who reads the prosecutor's document can make sure that the indictment contains all information," arguing that the defendant crossed a line and due to the danger his actions may have posed to society, he must face legal consequences.
The Prosecutor's Office also offered the man a plea bargain, which said if he admitted his guilt, he would be given a 2-year suspended sentence, and if not, he would have to serve five years in jail.
After he refused the plea deal, the hacker has now been charged with an upgraded crime in the indictment, i.e., disrupting the operation of a "public utility," which could soon end him up behind bars for up to 8 years, if proven guilty.