Someone who finds a weakness in your homes security and uses that to enter your house, but does not steal anything, is STILL GUILTY of breaking and entering. Same goes with computer systems, if they gain unauthorized access to my systems by utilizing a security hole, they are breaking and entering.

Scanning is a bit of a different matter. If you just port scan my network, it will annoy me, but you really have not done anything wrong. Although why would you be portscanning me, if not to find out what services I am running that you may be able to exploit.

however, the vulnerability scanners, like those used to determine wether a webserver is vulnerable to a directory traversal exploit, actually attempt to break into the system, if only minimally.

Bottom line is this, certain people and organizations have been given certain rights to data/services on my systems. Everyone has been given access to read a website for example, but only certain other people have access to do other things. If someone not on that list is attempting to access some service they have not been given permission to access, such as by trying to use a vulnerability in a webserver to execute commands on the server, they are without question guilty attempting to break into my systems.

Preventing these people access is what firewalls and security etc are all about, if I have done a good job, these people are kept out. If I have not done a good job or someone else does something really really stupid without my knowledge, they get in. In either case, they are breaking the law by attempting to break into my systems(IMHO).

If I wanted your (white hat) help securing my system, I would ask for it, and pay you appropriately. I would also sign a contract stating that I had given you permission to conduct these activities. If anyone attempts to get in without that permission, with whatever intentions, they are going to get into a mess of trouble.