Bug hunters aplenty but respect scarce for white hat hackers in India

Sriram Sharma February 8, 2018 6 min

In the outsourced, global gig economy for white hat cybersecurity researchers, India is showing its strength in numbers. The world’s second-most populous country contributes more bug hunters to bug bounty platform HackerOne than from the US.

India (23%) and the United States (20%) are the top two countries represented by the HackerOne hacker community. Other countries Russia (6%), Pakistan (4%) and United Kingdom (4%) add smaller numbers to the 166,000-plus registered user base of ethical hackers, as per the 2018 Hacker Report.

On Bugcrowd, another leading bug bounty platform, Indians are second largest in numbers, at 23% of its 66,000+ reported user base, after the US (27%), going by numbers mentioned in the second annual Inside the Mind of a Hacker report, published in November 2017.

These two platforms are commonly referenced as the two main players in the space.

The concept of a bug bounty program was introduced by Netscape in 1995, inviting security researchers to report security vulnerabilities in Netscape Navigator 2.0, in exchange for cash and swag. The playbook is pretty much the same even now, except that bug bounty platforms like HackerOne and Bugcrowd provide a readily available base of security researchers, from around the world, and manage payouts to global community of security researchers. They also provide recognition and a safe and encouraging platform for hackers to interact with companies. Bug bounty programs can be private (where only a few security researchers from the community test the company’s infrastructure) or public, where anyone from the community is allowed to participate. The bug bounties awarded can be insignificant compared to the severity of the bug. The Heartbleed bug from the year 2014, for example which affected OpenSSL, widely used by web servers and websites to secure communications received a $15,000 bounty, which Google researcher Neel Mehta donated to the Freedom of the Press Foundation.

Other notable companies in the crowdsourced security space include Synack and Cobalt.io, which don’t really play up the size of their user base, choosing instead to focus on quality of hackers on their platform.

India contributes more security researchers to bug bounty platform HackerOne than the US.

While the dollar payouts are not so significant for western security researchers, owing to US$ to rupee conversion rates, top hackers in India earn 16x the median salary of a software engineer, the HackerOne report notes.

India’s white hat researchers have long been the top beneficiary of Facebook’s whitehat program as well. India had the most number of valid submissions in 2017, a year in which it paid $880,000 in bug bounties to researchers.

“Less work, more money, and freedom. That’s why people do it,” says Pranav Hivarekar, a security researcher who has had a top 10 position in Facebook’s white hat page for 2018, 2017, and 2016, about bug hunting. He now runs Peritus InfoSec, an IT security testing firm in Pune. It takes a few years of effort to reach the top level, he adds.

Hivarekar cites non-reliable internet and electricity as India-specific pain points for a bug hunter. “This doesn’t affect me now… but a normal student might get affected.”

India Inc: What, Me, Bug Bounty?

While India-based hackers have cumulatively earned upwards of $3 million on the platform, Indian companies contribute to a tiny portion of that amount. Indian companies increased payouts to a sum of $91,860 via 11 programs on HackerOne in 2017, an improvement from a paltry $50 payout from April 2016 to April 2017.

The reason for this sharp jump? Foodtech unicorn Zomato, which experienced a data breach in May last year, which has since doubled down on its bug bounty program. Zomato has made over 210 bug bounty payouts amounting to $80,000 since the May incident, according to its HackerOne activity profile.

Anand Prakash, one of India’s highest paid bug bounty hackers, and the founder of another bug bounty platform HackerHive, says that there’s not much of a traction in similar programs in the country. “So far we’ve been approaching companies to do a bug bounty program, and very few have approached us,” he says. “Why should we reward hackers? That is the mentality.”

HackerHive currently has around 14 to 18 active programs from Indian companies such as Oyo Rooms, Exotel, and Tapzo. “Quite a few aren’t giving any rewards, they’re only giving goodies. Just one or two are paying hackers,” he says.

However, he sees some improvement in the security posture among Indian companies, as many of them now have a responsible vulnerability disclosure policy enabling hackers to report bugs. “Until last year, when I used to report a vulnerability in their systems, there used to be quite a few challenges in doing so,” he says. “But now, at least I can see security policies accounting for responsible vulnerability disclosure. So, there’s some improvement in attitudes.”

Still, payouts continue to be paltry. “A year ago, I reported a bug in a fairly serious bug in a well-funded e-commerce company, where I was able to log into anyone’s account and access credit card details. They paid me a mere Rs 5,000,” says Prakash.

Indian Govt: How Dare You?!

India’s legions of bug bounty hunters are under-utilised and underappreciated by the Indian government, too.  “We’ve approached people in the government to start a bug bounty program, they don’t even care about vulnerability. They start threatening us as to why we’re interfering with their systems,” says Prakash. “I think getting Rs 5,000 is a better deal than getting legal threats.”

In contrast, HackerOne currently works with the US DoD (Department of Defense), EU Commission, and Singapore Ministry of Defense. The U.S. Department of Defense has resolved almost 3,000 vulnerabilities — and paid out $300,000 in bounties.

India’s national identity project UIDAI, which received global scrutiny in the past month from security researchers serves as a good example of how the Indian government fails in its information security posture. UIDAI is short for Unique Identity Authority of India.

Could UIDAI’s security be vastly improved through a responsible disclosure page, and a bug bounty program? “Most definitely,” says Casey Ellis, founder and CTO of Bugcrowd, over a Twitter DM chat. “Hacker feedback is something any and every computer system can benefit from, regardless of how much security has been factored into its design,” he says. “You don’t know what you don’t know. That’s the main value of a bug bounty program.”

Notable tech companies with bug bounty and vulnerability disclosure programs include Google, Facebook, Microsoft, Uber, and Alibaba. But, to be sure, the HackerOne report notes that 94% of the Forbes Global 2000 companies do not have a published vulnerability disclosure policy. One in four hackers didn’t report a vulnerability they found because they didn’t have a proper channel to disclose it.

Most of these bounty hunters are in college, full-time bounty hunters are quite a few in number. Most of them do it for fun, says Anand Prakash, one of India’s most well-paid bug bounty hunters. Photo : Rajesh Subramanian

While it’s easy to picture these bounty hunters only as money-minded cyber-mercenaries, the HackerOne report characterises them as curious, tenacious, communal and charitable.

“One of the biggest differences between the 2016 and 2018 reports was that hackers are motivated by opportunities to learn, be challenged and have fun more than money.” Marten Mickos, CEO of HackerOne told FactorDaily over email. “While money definitely still attracts hackers to different programs, it’s not the key driver of what they do.” A point that the ecosystem may want to ponder about.


               

Updated at 7:38 PM on 8th February 2018 to correct Zomato's Hacker Activity stats on HackerOne. The copy earlier said that they had made 35 bug bounty payouts in the past five months, with three payouts going out as high as $1000.

Updated at 9:43 AM on 9th February 2018 for a style change in the 5th paragraph.

Disclosure: FactorDaily is owned by SourceCode Media, which counts Accel Partners, Blume Ventures and Vijay Shekhar Sharma among its investors. Accel Partners is an early investor in Flipkart. Vijay Shekhar Sharma is the founder of Paytm. None of FactorDaily’s investors have any influence on its reporting about India’s technology and startup ecosystem.