Cybersecurity: From an afterthought to a strategic asset
New research shows that a growing number of organisations view cybersecurity as a strategic priority.
Read MoreBlack Hat speaker Imran Parray (Founder and CEO at Snapsec) launched his career by reporting thousands of security vulnerabilities to companies via their security disclosure programs. Those companies included Google, Auth0, Typeform, and Hibob – and by helping them secure their networks, Parray gained both experience and a positive reputation among potential clients.
For fledgling ethical hackers looking for a way to establish themselves in the sector, this is a route that’s worth considering. You’ll finetune your skills, gain real-world knowledge and efficient strategies, and have the opportunity to build relationships with organisations at the same time.
A vulnerability disclosure program (VDP) is an organised framework that allows hackers to record and submit vulnerabilities to organisations – and encourages them to look for those vulnerabilities in the first place.
For the host organisation, VDPs support overall security posture by inviting ethical hackers to report vulnerabilities through a structured program, so the organisation can patch those vulnerabilities before malicious hackers exploit them.
Private and public sector organisations run VDPs that are managed by their internal security team or external security providers. A VDP must be built around a trusted methodology for receiving, assessing, and acting on vulnerability reports – so most programs prioritise reported vulnerabilities in terms of severity, and include a tracking system that shows the progress of remediation for each reported vulnerability.
Ethical hackers don’t get paid for reporting vulnerabilities via a VDP; the practice is sometimes described as a ‘neighbourhood watch’ system that provides a structured framework for everyone to look out for each other. But that doesn’t mean it’s an altruistic activity – hackers benefit from engaging in vulnerability disclosure programs in a number of ways, including:
Organisations with a vulnerability disclosure program will usually publish their vulnerability disclosure policy on their website. That policy will probably look something like this template from the CISA – detailing the organisation’s disclosure guidelines, the testing methods they will (and won’t) accept, how to report a vulnerability, and what you can expect in response.
Read each organisation’s policy in full, because they do vary. And then get involved; seek and disclose vulnerabilities for those organisations and use that work to lay the foundations for your career to grow.
If you want to network directly with organisations, dig into the details of their vulnerability disclosure programs, or meet face-to-face with organisations you’ve already supported via their VDPs – then register now to attend Black Hat MEA 2024.
Join the newsletter to receive the latest updates in your inbox.
New research shows that a growing number of organisations view cybersecurity as a strategic priority.
Read MoreFind out why CISOs and investors are investing in AI-powered integrated cybersecurity platforms.
Read MoreCybersecurity education in schools could empower a new generation of skilled, engaged cybersecurity professionals, and solve the cyber workforce shortage.
Read More