A gray hat is a reference to a computer hacker who acts illegally to expose a security threat but does not use that threat maliciously against the vulnerable party. Instead, the hacker makes the party aware of the threat so that the threat can be neutralized. In other words, gray hat hacking is a blend of white hat and a black hat hacker.
In gray hat hacking, the hacker is well-intentioned but still uses illegal means to expose security threats. The first use of the term "gray hat" in reference to hacking appeared in 1998 from a hacker group called L0pht. A gray-hat hacker falls in between these two extremes. Therefore, a gray-hat hacker might selectively report security threats to a company and withhold information regarding the existence of others.