October 28, 2016 By Fran Howarth 2 min read

Black Hat Europe 2016 is almost upon us. The event offers technical training and briefings to showcase the newest research and disclose the latest vulnerabilities. Many of these vulnerabilities are uncovered by penetration testing, and Black Hate Europe 2016 offers four interesting training sessions on that subject.

Sharing Is Caring

It is especially important to share information regarding security vulnerabilities. This was a key focus at the recent Black Hat USA conference and will likely be much discussed at Black Hat Europe 2016. During the keynote speech in the U.S., Dan Kaminsky of White Ops urged the public and private sectors to work together to deal with cyberthreats faster and more efficiently. According to Kaminsky, information sharing is essential to this effort.

Hackers and security researchers have been attempting to share information and warn of vulnerabilities that put systems at risk, but they were often ignored or even threatened with lawsuits. As security breaches became everyday news, however, cybercriminals realized they could potentially fetch millions of dollars in exchange for vulnerability information on the black market. Some of this information has even been sold to governments.

On the other hand, organizations and technology vendors realized they can benefit from the work of outside security researchers. They began to warm to the idea of rewarding these individuals to encourage ethical disclosure whereby the information is not made public until after the company that received a warning has time to fix the problem.

Bug Bounties Bring Big Bucks

Nowadays, many organizations run bug bounty programs, offering a wide variety of incentives for security researchers to disclose vulnerabilities, including some new programs announced at Black Hat USA. Perhaps more will be announced during Black Hat Europe 2016 in response to new vulnerabilities to be announced.

Since it launched its bug bounty program in 2011, Facebook has awarded more than $4.3 million to more than 800 researchers. As many as 210 researchers were awarded $936,000 in 2015 alone, with payouts averaging $1,780.

According to the “2016 Bug Bounty Hacker Report” from HackerOne, 57 percent of hackers who participated in bug bounty programs have not received payments for their efforts. Just over half are making less than $20,000 for their hacking activities and only 6 percent report earning more than $100,000. However, 45 percent have full-time salaried employment.

Learn More at Black Hat Europe 2016

With rewards as low as they are in most cases, can hacking be considered to be entrepreneurial? Is there such a thing as making a living out of ethical hacking? Rewards tend to be based on the bug’s potential risk and criticality, rising rapidly when a really dangerous threat is found, regardless of the level of effort required to discover it.

So it seems that bug hunting itself is a risky business. An ethical hacker or researcher is not sure to find anything and may be left with slim pickings. Some of the largest rewards offered are never paid out, and those at the highest end of the scale are relatively rare. To encourage entrepreneurial hacking for the greater good, a culture of security information sharing should be encouraged and rewards made widespread. Black Hat Europe 2016 is a great forum for doing just that.

More from Risk Management

Back to basics: Better security in the AI era

4 min read - The rise of artificial intelligence (AI), large language models (LLM) and IoT solutions has created a new security landscape. From generative AI tools that can be taught to create malicious code to the exploitation of connected devices as a way for attackers to move laterally across networks, enterprise IT teams find themselves constantly running to catch up. According to the Google Cloud Cybersecurity Forecast 2024 report, companies should anticipate a surge in attacks powered by generative AI tools and LLMs…

Mapping attacks on generative AI to business impact

5 min read - In recent months, we’ve seen government and business leaders put an increased focus on securing AI models. If generative AI is the next big platform to transform the services and functions on which society as a whole depends, ensuring that technology is trusted and secure must be businesses’ top priority. While generative AI adoption is in its nascent stages, we must establish effective strategies to secure it from the onset. The IBM Institute for Business Value found that despite 64%…

Ermac malware: The other side of the code

6 min read - When the Cerberus code was leaked in late 2020, IBM Trusteer researchers projected that a new Cerberus mutation was just a matter of time. Multiple actors used the leaked Cerberus code but without significant changes to the malware. However, the MalwareHunterTeam discovered a new variant of Cerberus — known as Ermac (also known as Hook) — in late September of 2022.To better understand the new version of Cerberus, we can attempt to shed light on the behind-the-scenes operations of the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today