Black Hat Europe 2016 is almost upon us. The event offers technical training and briefings to showcase the newest research and disclose the latest vulnerabilities. Many of these vulnerabilities are uncovered by penetration testing, and Black Hate Europe 2016 offers four interesting training sessions on that subject.

Sharing Is Caring

It is especially important to share information regarding security vulnerabilities. This was a key focus at the recent Black Hat USA conference and will likely be much discussed at Black Hat Europe 2016. During the keynote speech in the U.S., Dan Kaminsky of White Ops urged the public and private sectors to work together to deal with cyberthreats faster and more efficiently. According to Kaminsky, information sharing is essential to this effort.

Hackers and security researchers have been attempting to share information and warn of vulnerabilities that put systems at risk, but they were often ignored or even threatened with lawsuits. As security breaches became everyday news, however, cybercriminals realized they could potentially fetch millions of dollars in exchange for vulnerability information on the black market. Some of this information has even been sold to governments.

On the other hand, organizations and technology vendors realized they can benefit from the work of outside security researchers. They began to warm to the idea of rewarding these individuals to encourage ethical disclosure whereby the information is not made public until after the company that received a warning has time to fix the problem.

Bug Bounties Bring Big Bucks

Nowadays, many organizations run bug bounty programs, offering a wide variety of incentives for security researchers to disclose vulnerabilities, including some new programs announced at Black Hat USA. Perhaps more will be announced during Black Hat Europe 2016 in response to new vulnerabilities to be announced.

Since it launched its bug bounty program in 2011, Facebook has awarded more than $4.3 million to more than 800 researchers. As many as 210 researchers were awarded $936,000 in 2015 alone, with payouts averaging $1,780.

According to the “2016 Bug Bounty Hacker Report” from HackerOne, 57 percent of hackers who participated in bug bounty programs have not received payments for their efforts. Just over half are making less than $20,000 for their hacking activities and only 6 percent report earning more than $100,000. However, 45 percent have full-time salaried employment.

Learn More at Black Hat Europe 2016

With rewards as low as they are in most cases, can hacking be considered to be entrepreneurial? Is there such a thing as making a living out of ethical hacking? Rewards tend to be based on the bug’s potential risk and criticality, rising rapidly when a really dangerous threat is found, regardless of the level of effort required to discover it.

So it seems that bug hunting itself is a risky business. An ethical hacker or researcher is not sure to find anything and may be left with slim pickings. Some of the largest rewards offered are never paid out, and those at the highest end of the scale are relatively rare. To encourage entrepreneurial hacking for the greater good, a culture of security information sharing should be encouraged and rewards made widespread. Black Hat Europe 2016 is a great forum for doing just that.

More from Risk Management

Did Brazil DSL Modem Attacks Change Device Security?

From 2011 to 2012, millions of Internet users in Brazil fell victim to a massive attack against vulnerable DSL modems. By configuring the modems remotely, attackers could redirect users to malicious domain name system (DNS) servers. Victims trying to visit popular websites (Google, Facebook) were instead directed to imposter sites. These rogue sites then installed malware on victims' computers. According to a report from Kaspersky Lab Expert Fabio Assolini citing statistics from Brazil's Computer Emergency Response Team, the attack ultimately…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Worms of Wisdom: How WannaCry Shapes Cybersecurity Today

WannaCry wasn't a particularly complex or innovative ransomware attack. What made it unique, however, was its rapid spread. Using the EternalBlue exploit, malware could quickly move from device to device, leveraging a flaw in the Microsoft Windows Server Message Block (SMB) protocol. As a result, when the WannaCry "ransomworm" hit networks in 2017, it expanded to wreak havoc on high-profile systems worldwide. While the discovery of a "kill switch" in the code blunted the spread of the attack and newly…

Why Operational Technology Security Cannot Be Avoided

Operational technology (OT) includes any hardware and software that directly monitors and controls industrial equipment and all its assets, processes and events to detect or initiate a change. Yet despite occupying a critical role in a large number of essential industries, OT security is also uniquely vulnerable to attack. From power grids to nuclear plants, attacks on OT systems have caused devastating work interruptions and physical damage in industries across the globe. In fact, cyberattacks with OT targets have substantially…