Black Hat Europe 2016 is almost upon us. The event offers technical training and briefings to showcase the newest research and disclose the latest vulnerabilities. Many of these vulnerabilities are uncovered by penetration testing, and Black Hate Europe 2016 offers four interesting training sessions on that subject.

Sharing Is Caring

It is especially important to share information regarding security vulnerabilities. This was a key focus at the recent Black Hat USA conference and will likely be much discussed at Black Hat Europe 2016. During the keynote speech in the U.S., Dan Kaminsky of White Ops urged the public and private sectors to work together to deal with cyberthreats faster and more efficiently. According to Kaminsky, information sharing is essential to this effort.

Hackers and security researchers have been attempting to share information and warn of vulnerabilities that put systems at risk, but they were often ignored or even threatened with lawsuits. As security breaches became everyday news, however, cybercriminals realized they could potentially fetch millions of dollars in exchange for vulnerability information on the black market. Some of this information has even been sold to governments.

On the other hand, organizations and technology vendors realized they can benefit from the work of outside security researchers. They began to warm to the idea of rewarding these individuals to encourage ethical disclosure whereby the information is not made public until after the company that received a warning has time to fix the problem.

Bug Bounties Bring Big Bucks

Nowadays, many organizations run bug bounty programs, offering a wide variety of incentives for security researchers to disclose vulnerabilities, including some new programs announced at Black Hat USA. Perhaps more will be announced during Black Hat Europe 2016 in response to new vulnerabilities to be announced.

Since it launched its bug bounty program in 2011, Facebook has awarded more than $4.3 million to more than 800 researchers. As many as 210 researchers were awarded $936,000 in 2015 alone, with payouts averaging $1,780.

According to the “2016 Bug Bounty Hacker Report” from HackerOne, 57 percent of hackers who participated in bug bounty programs have not received payments for their efforts. Just over half are making less than $20,000 for their hacking activities and only 6 percent report earning more than $100,000. However, 45 percent have full-time salaried employment.

Learn More at Black Hat Europe 2016

With rewards as low as they are in most cases, can hacking be considered to be entrepreneurial? Is there such a thing as making a living out of ethical hacking? Rewards tend to be based on the bug’s potential risk and criticality, rising rapidly when a really dangerous threat is found, regardless of the level of effort required to discover it.

So it seems that bug hunting itself is a risky business. An ethical hacker or researcher is not sure to find anything and may be left with slim pickings. Some of the largest rewards offered are never paid out, and those at the highest end of the scale are relatively rare. To encourage entrepreneurial hacking for the greater good, a culture of security information sharing should be encouraged and rewards made widespread. Black Hat Europe 2016 is a great forum for doing just that.

more from Risk Management

NIST Supply Chain Security Guidelines: 10 Key Takeaways

The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) recently published updated guidance for reducing cybersecurity risks in supply chains. Titled “Software Supply Chain Security Guidance,” the update is NIST’s response to directives issued by an executive order by President Joe Biden, designed to improve cybersecurity in the United States.  This NIST guidance is assumed to target…