Three years ago, faced with the challenge of repaying an education loan, then 20-year-old Manish Bhattacharya desperately needed to make money. To do that, Bhattacharya, a student of computer science, focussed all his energies on one thing: bug bounties.
Bug bounties are monetary rewards offered by technology companies to geeks who spot bugs, errors and security flaws before malicious hackers or cyber criminals spot them.
Bhattacharya received his first bounty of $100 in 2013 from Asana, a company that lets teams track their work, for reporting a minor security glitch. In two years, this Bhagalpur lad earned enough to square off his student loan and became financially independent.
“By far, my highest reward is $5,000 (about Rs. 3.5 lakh) paid out by Google,” said Bhattacharya, who was rewarded by the technology giant for reporting a remote login vulnerability.
Bhattacharya isn’t the only desi bug bounty hunter saddling up and scouring cyberspace for flaws and glitches. A report by one of the earliest crowdsourcing companies called Bugcrowd found that 28.2% of the hacker sign-ups worldwide for bug bounty programmes until March were from India. Techies from United States (24.4%), the United Kingdom (3.9%), Pakistan (3.5%) and Australia (2.4%) came next.
The idea of bug bounties goes back to as far as 1995, when Netscape offered a reward to hackers for spotting bugs in its web browser.
Almost all the tech giants such as Facebook, Google, Apple, Twitter and Yahoo! either have their own programmes or work with third party companies to reward hackers based on the severity of the security flaw reported. Even companies such as General Motors, Khan Academy, Starbucks and United Airlines have bug bounty programmes.
However, only a handful of Indian companies are willing to bug bounty hunters look at their code. The few that do are startups like Paytm, Ola, Mobikwik.
“Bug bounties happen after an evolved state of security. When (internal security) teams are unable to find further vulnerabilities, they choose to go down the crowd-security path,” said Ankush Johar, director at BugsBounty, a crowd-security company that can be thought of as an aggregator for ethical hackers, a model that is increasingly being used by companies as part of their bug bounty programmes.
Mobile wallet Paytm says open-sourcing security has made its systems more ‘hack-proof.’ “While our internal testing teams are always on high alert, bug bounty programmes help us identify sporadic loopholes in our system, and fix them immediately,” said Sourabh Sharma, assistant vice president at Paytm.
Cab aggregator Ola says it was the first Indian startup to launch a bug bounty program in 2015.
“Early progress has been quite promising, where we received phenomenal response from security researchers from across the world,” said an Ola spokesperson. “Depending on the severity, impact and complexity of the vulnerability reported, these researches can win cash or exciting goodies like smartwatches, smart TVs, tablets or smartphones as well.”
Indian security researchers claim that unlike the West, most Indian companies penny-pinch when it comes to bug bounties.
“Instead of money payments they send certificates or goodies – CD, pen drive, T-shirts etc. These are not lucrative enough,” said Vikram Karthik, a Chennai-based ex-security researcher. “Some companies delay the payment and inform a week later that the specific vulnerability has already been reported,” he added.
Another security engineer Anand Prakash – who has raked in over Rs 1.3 crore in bounties so far – says that most Indian companies “do not respond whenever an ethical hacker reports a bug.”
The biggest problem is the mindset of burying bug discovery under the carpet. “Acknowledging the bug is the first step. Indian companies end up trying to cover up,” said Shubham Paramhans, an ex-freelance security researcher.
Internationally, bounties varies anywhere between $100 and $200,000 depending upon the level of vulnerability of the bug: higher the severity of the bug, the bigger the payout.
Paytm’s Sharma did not disclose the value of the bounty the mobile wallet pays. “The rewards, monetary or otherwise are insignificant. People do it because they believe in our mission to bring half a billion Indians to the main stream,” he said.
The Bugcrowd report corroborates the fact that though Indian security researchers have been stacking up bounties like poker chips, thanks largely to foreign companies.