October 28, 2016 By Fran Howarth 2 min read

Black Hat Europe 2016 is almost upon us. The event offers technical training and briefings to showcase the newest research and disclose the latest vulnerabilities. Many of these vulnerabilities are uncovered by penetration testing, and Black Hate Europe 2016 offers four interesting training sessions on that subject.

Sharing Is Caring

It is especially important to share information regarding security vulnerabilities. This was a key focus at the recent Black Hat USA conference and will likely be much discussed at Black Hat Europe 2016. During the keynote speech in the U.S., Dan Kaminsky of White Ops urged the public and private sectors to work together to deal with cyberthreats faster and more efficiently. According to Kaminsky, information sharing is essential to this effort.

Hackers and security researchers have been attempting to share information and warn of vulnerabilities that put systems at risk, but they were often ignored or even threatened with lawsuits. As security breaches became everyday news, however, cybercriminals realized they could potentially fetch millions of dollars in exchange for vulnerability information on the black market. Some of this information has even been sold to governments.

On the other hand, organizations and technology vendors realized they can benefit from the work of outside security researchers. They began to warm to the idea of rewarding these individuals to encourage ethical disclosure whereby the information is not made public until after the company that received a warning has time to fix the problem.

Bug Bounties Bring Big Bucks

Nowadays, many organizations run bug bounty programs, offering a wide variety of incentives for security researchers to disclose vulnerabilities, including some new programs announced at Black Hat USA. Perhaps more will be announced during Black Hat Europe 2016 in response to new vulnerabilities to be announced.

Since it launched its bug bounty program in 2011, Facebook has awarded more than $4.3 million to more than 800 researchers. As many as 210 researchers were awarded $936,000 in 2015 alone, with payouts averaging $1,780.

According to the “2016 Bug Bounty Hacker Report” from HackerOne, 57 percent of hackers who participated in bug bounty programs have not received payments for their efforts. Just over half are making less than $20,000 for their hacking activities and only 6 percent report earning more than $100,000. However, 45 percent have full-time salaried employment.

Learn More at Black Hat Europe 2016

With rewards as low as they are in most cases, can hacking be considered to be entrepreneurial? Is there such a thing as making a living out of ethical hacking? Rewards tend to be based on the bug’s potential risk and criticality, rising rapidly when a really dangerous threat is found, regardless of the level of effort required to discover it.

So it seems that bug hunting itself is a risky business. An ethical hacker or researcher is not sure to find anything and may be left with slim pickings. Some of the largest rewards offered are never paid out, and those at the highest end of the scale are relatively rare. To encourage entrepreneurial hacking for the greater good, a culture of security information sharing should be encouraged and rewards made widespread. Black Hat Europe 2016 is a great forum for doing just that.

More from Risk Management

Why do software vendors have such deep access into customer systems?

4 min read - To the naked eye, organizations are independent entities trying to make their individual mark on the world. But that was never the reality. Companies rely on other businesses to stay up and running. A grocery store needs its food suppliers; a tech company relies on the business making semiconductors and hardware. No one can go it alone.Today, the software supply chain interconnects companies across a wide range of industries. Software applications and operating systems depend on segments of the software…

How CTEM is providing better cybersecurity resilience for organizations

4 min read - Organizations today continuously face a number of fast-moving cyber threats that regularly challenge the effectiveness of their cybersecurity defenses. However, to keep pace, businesses need a proactive and adaptive approach to their security planning and execution.Cyber threat exposure management (CTEM) is an effective way to achieve this goal. It provides organizations with a reliable framework for identifying, assessing and mitigating new cyber risks as they materialize.The importance of developing cybersecurity resilienceRegardless of the industry, all organizations are subject to certain…

Is the water safe? The state of critical infrastructure cybersecurity

4 min read - On September 25, CISA issued a stark reminder that critical infrastructure remains a primary target for cyberattacks. Vulnerable systems in industrial sectors, including water utilities, continue to be exploited due to poor cyber hygiene practices. Using unsophisticated methods like brute-force attacks and leveraging default passwords, threat actors have repeatedly managed to compromise operational technology (OT) and industrial control systems (ICS).Attacks on the industrial sector have been particularly costly. The 2024 IBM Cost of a Data Breach report found the average total…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today