I was 14 when I found my first vulnerability.
It was an online game. I had no idea what responsible disclosure, bug bounty, or legal boundaries were supposed to mean. I just knew something was broken, and someone should probably know about it. So I did what made sense at the time: I joined the vendor’s IRC channel and reported it.
There was no reward. No programme. No formal process. I asked for one thing instead: a written confirmation that I had reported the issue responsibly.
Years later, that single piece of paper helped me land my first job in security.
That moment kicked off a journey that eventually led me to complete my Master of Science in IT Security Management at Aalen University, and later into my current work as an Application Security Specialist, dealing with vulnerability reports, disclosures, and bug bounty submissions on a weekly basis.
Last month, I returned to Aalen University.
Not as a student, but as a guest lecturer.
More than 100 students joined the seminar, which made one thing very clear: the interest in ethical hacking is there, but so is the confusion around how it actually works in the real world.
Ethical Hacking: Both Sides of the Story
The 90-minute seminar focused on Ethical Hacking, but not in the romanticised “hoodie and terminal” sense.
Instead, we looked at the full system.
On one side:
- Bug bounty hunters and independent researchers
- Penetration testers and red teamers
- People driven by curiosity, skill, and sometimes frustration
On the other:
- Large organisations processing dozens or hundreds of reports
- Security teams balancing risk, legality, and scale
- Disclosure workflows, SLAs, and internal coordination
We covered the practical differences between:
- Bug Bounty programmes
- Penetration testing
- Responsible disclosure
And more importantly, what separates good ethical hacking from behaviour that crosses legal and ethical lines.
When Disclosure Works — and When It Doesn’t
A major part of the session focused on real-world cases.
Not abstract examples. Real German cases.
Some were handled well:
- Clear communication
- Mutual respect
- Coordinated remediation
- Proper credit and responsible timelines
Others ended in escalation:
- Lawyers
- Courts
- Burned bridges
- Careers damaged on both sides
We analysed why those situations went wrong, what could have been done differently, and where responsibility sits on both sides.
We also looked at:
- Vulnerability Reporting Programmes (VRPs)
- Legal considerations researchers often underestimate
- How vulnerabilities move through CVE, CNAs, and coordinated disclosure
- Examples of excellent and terrible vulnerability reports, written by both hackers and companies
Because finding a bug is only half the job.
How it’s communicated and handled is what actually determines the outcome.
Vulnerabilities as Shared Wins
One idea came up repeatedly during discussion: vulnerabilities should be treated as shared wins.
Not as embarrassment.
Not as failure.
Not as a threat.
When organisations and researchers work together properly, vulnerability disclosure becomes a self-healing mechanism of the ecosystem. It’s how systems improve over time. It’s how trust is built between vendors, researchers, and users.
Bug bounty programmes and disclosure frameworks are a privilege. They didn’t exist a few decades ago. When they’re designed and run well, everyone benefits:
- Users get safer products
- Companies reduce real risk
- Researchers can operate legally and sustainably
When they’re handled poorly, everyone loses.
Back Where It Started
Years after graduating, it was a reminder of how nonlinear security careers actually are.
You don’t start by knowing frameworks, laws, or processes.
You start by being curious.
By breaking things.
By asking questions.
Maybe someone in that seminar will report their first vulnerability soon.
Hopefully with better guidance than I had at 14.
Thanks again to Professor Christian Koot for the invitation, and to more than a hundred engaged students for the sharp questions and honest discussions.
This is how the next generation of ethical hackers starts.
Hinweis: Dieser Vortrag wurde durch das Förderporgramm für Technik- und Wissenschaftsethik an den HAW des Landes Baden-Württemberg unterstützt.