October 28, 2016 By Fran Howarth 2 min read

Black Hat Europe 2016 is almost upon us. The event offers technical training and briefings to showcase the newest research and disclose the latest vulnerabilities. Many of these vulnerabilities are uncovered by penetration testing, and Black Hate Europe 2016 offers four interesting training sessions on that subject.

Sharing Is Caring

It is especially important to share information regarding security vulnerabilities. This was a key focus at the recent Black Hat USA conference and will likely be much discussed at Black Hat Europe 2016. During the keynote speech in the U.S., Dan Kaminsky of White Ops urged the public and private sectors to work together to deal with cyberthreats faster and more efficiently. According to Kaminsky, information sharing is essential to this effort.

Hackers and security researchers have been attempting to share information and warn of vulnerabilities that put systems at risk, but they were often ignored or even threatened with lawsuits. As security breaches became everyday news, however, cybercriminals realized they could potentially fetch millions of dollars in exchange for vulnerability information on the black market. Some of this information has even been sold to governments.

On the other hand, organizations and technology vendors realized they can benefit from the work of outside security researchers. They began to warm to the idea of rewarding these individuals to encourage ethical disclosure whereby the information is not made public until after the company that received a warning has time to fix the problem.

Bug Bounties Bring Big Bucks

Nowadays, many organizations run bug bounty programs, offering a wide variety of incentives for security researchers to disclose vulnerabilities, including some new programs announced at Black Hat USA. Perhaps more will be announced during Black Hat Europe 2016 in response to new vulnerabilities to be announced.

Since it launched its bug bounty program in 2011, Facebook has awarded more than $4.3 million to more than 800 researchers. As many as 210 researchers were awarded $936,000 in 2015 alone, with payouts averaging $1,780.

According to the “2016 Bug Bounty Hacker Report” from HackerOne, 57 percent of hackers who participated in bug bounty programs have not received payments for their efforts. Just over half are making less than $20,000 for their hacking activities and only 6 percent report earning more than $100,000. However, 45 percent have full-time salaried employment.

Learn More at Black Hat Europe 2016

With rewards as low as they are in most cases, can hacking be considered to be entrepreneurial? Is there such a thing as making a living out of ethical hacking? Rewards tend to be based on the bug’s potential risk and criticality, rising rapidly when a really dangerous threat is found, regardless of the level of effort required to discover it.

So it seems that bug hunting itself is a risky business. An ethical hacker or researcher is not sure to find anything and may be left with slim pickings. Some of the largest rewards offered are never paid out, and those at the highest end of the scale are relatively rare. To encourage entrepreneurial hacking for the greater good, a culture of security information sharing should be encouraged and rewards made widespread. Black Hat Europe 2016 is a great forum for doing just that.

More from Risk Management

Water facilities warned to improve cybersecurity

3 min read - United States water facilities, which include 150,000 public water systems, have become an increasingly high-risk target for cyber criminals in recent years. This rising threat has demanded more attention and policies focused on improving cybersecurity.Water and wastewater systems are one of the 16 critical infrastructures in the U.S. The definition for inclusion in this category is that the industry must be so crucial to the United States that “the incapacity or destruction of such systems and assets would have a…

Working in the security clearance world: How security clearances impact jobs

2 min read - We recently published an article about the importance of security clearances for roles across various sectors, particularly those associated with national security and defense.But obtaining a clearance is only part of the journey. Maintaining and potentially expanding your clearance over time requires continued diligence and adherence to stringent guidelines.This brief explainer discusses the duration of security clearances, the recurring processes involved in maintaining them and possibilities for expansion, as well as the economic benefits of these credentialed positions.Duration of security…

Remote access risks on the rise with CVE-2024-1708 and CVE-2024-1709

4 min read - On February 19, ConnectWise reported two vulnerabilities in its ScreenConnect product, CVE-2024-1708 and 1709. The first is an authentication bypass vulnerability, and the second is a path traversal vulnerability. Both made it possible for attackers to bypass authentication processes and execute remote code.While ConnectWise initially reported that the vulnerabilities had proof-of-concept but hadn’t been spotted in the wild, reports from customers quickly made it clear that hackers were actively exploring both flaws. As a result, the company created patches for…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today