Moneycontrol PRO
you are here: HomeNewsBusiness

Bug Bounty hunters | Meet the Indians raking in lakhs to find software glitches

Men in white hats — ethical hackers — are reaping the rewards for finding glitches in computer systems that could be exploited by black hats — hackers — for gain. The payoff can be huge or minuscule, but the work is always absorbing. But sometimes, after months of hard work, there may be no bounty waiting at the end of it. Read on to find out all about the see-saw world of India's bug bounty hunters.

August 23, 2021 / 12:29 PM IST

Mayur Fartade, a final-year engineering college student, earned Rs 22 lakh ($30,000) on June 15. Narendra Bhati, a security professional in Pune, earned over Rs 80 lakh in 6-7 months, and Akhil George, a 23-year-old engineering graduate, earned Rs 66 lakh ($90,000) last year. Bhavuk Jain, an engineer from Ghaziabad, won Rs 75 lakh ($100,000) in a single day.

They didn't make that quick money by clicking on some dubious ads on a website. Rather, Fartade, Bhati, George and Jain are examples of how computer science engineers can earn lakhs finding bugs in software.

Fartade, a lanky 20-year-old youngster from Maharashtra, got interested in finding bugs in 2018, when he was a second year computer science student. His rite of passage into bug bounty started with a small bug on a government site that year. “Initially I was looking for small bugs. At that time I had no idea about what bug bounty programmes are,” he reluctantly revealed in a direct message.

It wasn’t until 2020, when the pandemic hit, that Fartade dedicated his time to learning about hacking, reading up on blog posts by cybersecurity researchers. “Before the pandemic, I didn’t get much time to find bugs because of college related work. During the lockdown though, I got too much free time. So, I decided to learn something new,” he says.

There are many like Fartade who have joined the bug bounty hunt since the pandemic, lured in by equal parts curiosity and of course, bounty.

Close

Bug bounty

Bug hunters get rewarded for finding glitches in computer systems, which otherwise can be exploited by black hats, or hackers, for gain. A case in point is ransomware attacks.

One of the first firms to offer rewards for finding bugs was Hunter & Ready, which invited engineers to test its Operating Systems. That was 1983. The term bug bounty was yet to be coined.

The ad from 1983 titled “Get a bug if you find a bug” reads like this: “Show us a bug in our VRTX, real-time operating system, and we will return the favor - With a bug of your own to show off in your driveway.” The bug to show off here was the Volkswagen Beetle.

It is not clear if someone managed to snag the Beetle, but finding bugs and earning rewards has come a long way since 1983.

The term bug bounty was coined by Jarrett Ridlinghafer, a technical support engineer at Netscape Communications Corporation, in 1995. In a press release dated October 10, 1995, the company said it would reward users who find bugs in the then recently launched beta version of its Netscape Navigation 2.0 software. However the idea of bug bounty was in its infancy and did not take off. It wasn’t until close to a decade later that it finally did.

One of the most successful bug bounties that continue till today was launched by Mozilla in 2004, nine years after Netscape. On August 2, 2004 Mozilla foundation announced: “Under the new scheme, any user who reports a critical security vulnerability in end-user Mozilla software will receive a US$500 reward.” In a blog, it said that from 2017-19 it has made a payout of $965,750 to researchers across 348 bugs, making the average payout $2,775.

The trend continued with tech giants Google (2010), Facebook (2011), Apple (2016) and Microsoft (2013) launching their own bug bounty programmes over the years.

In all these programmes Indians have come to become one of the largest beneficiaries, ranking among the top bounty hunters across the tech platforms.

Indians in the bug bounty hunt

In its 2020 bug bounty report, Facebook said that the company awarded $1.98 million to researchers in 50 countries in that year. India was in the top three along with Tunisia and the US. Two Indians, Suresh Chelladurai and Dhanesh Kizhakkinan, were among the top five in Microsoft’s most valued security researchers of 2021.

Apple paid one of its highest bounties of $100,000 in 2020 to Bhavuk Jain, an engineer from Ghaziabad and a bug bounty hunter. Jain has been bounty hunting full-time for the past three years, before being employed as a cybersecurity researcher in July 2021. His entry into bug bounty hunting came purely by chance. When he was working as a full-time developer, Jain started looking into other apps like for security, and started finding vulnerabilities.

The first bug he found was for a large tech company, and it took just five minutes. His effort won a reward that blew his mind. That was 2017 and he is reserved about sharing details. "You can’t expect this in any other work,” Jain exclaimed. He has never looked back since then. Like Jain, many have been attracted to the lucrative bounties this profession offers. It's not hard to see why — the payoff can be Rs 75 lakh for finding just one bug.

Moneycontrol spoke to six bug bounty hunters, current and former, many of whom were attracted by the bounties companies offer, and also for the sheer thrill of the chase.

Bounties and the chase

Narendra Bhati, an information security analyst based in Pune, has won over Rs 80 lakh in bug bounties in the last 6-7 months for multiple companies, including Apple. That was till June. Bhati was sure that this number would only increase, and it has by a few thousand dollars .

For Bhati, the bug hunt is more or less a game. “Hacking is like a game for me. Every day I wake up thinking about what bug I can find today,” he says. Bhati found his first bug in 2012 for a little over a hundred dollars, way over the Rs 80 lakh he was able to so far this year. However, to get here, it has taken a good while. Bhati started working for a salary of Rs 2,000 in a small firm in Ahmedabad for two years to learn hacking before he was able to start getting bounties.

Akhil George, 23, who works for Bugcrowd, a platform that facilitates bug bounty programmes for Facebook and other major firms, was attracted to bug hunting when he was in college. He was in his first year and saw a blogpost about someone winning $10,000 for finding a bug. It piqued his interest, not just for the money but also the challenge.

“I started learning (hacking) when I was in my first year because that is when I got my first laptop. I learnt everything on my own. I graduated just a few months back,” he said. In 2020, he worked with his friend and won about $90,000, or Rs 66 lakh, in bounty.

Pranav Hivarekar, 27, a part time bug bounty hunter, started his journey when he was in the third year of engineering, after seeing a Facebook post on someone winning a huge bug bounty. If that was not enough, his coding teacher’s taunts that he couldn’t do anything proved to be enough of a catalyst to fuel his interest.

He later did his masters in the US and had been working in a leading cybersecurity firm for 4-5 months when he was forced to return home due to a family situation. Back in India, he turned to bug bounty hunting full time, until about recently. “I have been a bug bounty hunter since 2014, when I was in third year of college. So it has been close to six years now,” he said. While he did not want to reveal what bounties he has won, Hivarekar said his largest bounty was $15,000.

Bounty in the pandemic

While many people have been bug bounty hunting for a long time, the pandemic saw more people jumping on the bandwagon. “Due to COVID-19, many people stayed at home and became bug bounty hunters. We are seeing a surge in bug bounty hunters over the last year. The motivation is both knowledge and money,” said Hivarekar.

This includes students and cybersecurity professionals. For instance, Fartade, the engineering student cited earlier, turned to bug bounty hunting during the pandemic, when he had a lot of time on his hands, and managed to win Rs 22 lakh.

However it hasn’t been smooth sailing all the way.

When the pandemic hit, while tech companies continued bounty programmes, smaller companies shut them down. “In 2020, when the pandemic struck a lot of companies closed their programmes. And in some cases bounties were cut down by 50 percent,” says George. Jain, who was cited earlier, said: “Many travel firms too stopped the programme or reduced the payout when COVID-19 struck,” he said.

With businesses returning to the new normal, where cybersecurity is a key challenge, more companies are launching bug bounty programmes globally, in a welcome sign. The bounties offered have returned to pre-pandemic levels.

In India, too, things are looking up as local companies warm up to the idea of bug bounties, increase incentives and even launch bug bounty platforms.

India's bug bounty landscape

According to the 2020 HackerOne report, Indian hackers earned 10 percent of the total bounty on offer, after the US at 19 percent. In addition, Indians accounted for about 18 percent of the total bug reports submitted last year, followed by the US at 11 percent.

“Given that Indians are one of the largest groups when it comes to bug bounty hunters, it is a wonder that we don’t have bug bounty platforms,” says Dhruva Goyal, 19, co-founder of BugBase, a bug bounty platform akin to HackerOne or Bugcrowd, which facilitates bug bounty programmes for companies.

BugBase went live in June 2021 and so far has close to 10 companies signed up for a bug bounty hunt. Many are smaller firms, with bounties ranging from Rs 1,000 to Rs 50,000.

Despite the vibrant hacker community in the country, India lacks the presence of cybersecurity platforms such as HackerOne, in part due to lack of awareness and reluctance to spend on security, says Goyal.

A few years ago, startups such as Zomato, Flipkart, Ola, Urban Company and Makemytrip launched bug bounty programmes. However, the incentives the companies offer aren’t high, making it less lucrative for bounty hunters.

Take, for instance, Ola; The company’s minimum payout is Rs 1,000. Further, on its site, Ola has stated: “We may reward only with awesome goodies depending on the severity of the vulnerability.” Makemytrip states that the minimum payout is Rs 5,000.

However, things are slowly changing, with many companies stepping up their bounty amount to attract hackers. Take, for instance, Urban Company. According to its HackerOne profile, the average bounty is about $100. The lowest being $50 and the highest, $1,500, for critical bugs that make the system the most vulnerable to attacks as of June 2021. The amount was $750 earlier. The best payout is from Zomato, which has increased its bounty this year . The company offers a minimum payout of $100 to a maximum of $2,000. This range was increased to $300–$4000.

While these are encouraging, Indian hackers are still concerned as they aren’t incentive enough, preferring to spend their time chasing better bounties.

For comparison, Apple and Microsoft’s bounty could go as high as $250,000 in the case of critical vulnerabilities.

So, for hackers, when the time spent in finding bugs is the same for Indian and US firms, larger incentives tilt the scale. But that is not all. Another bounty hunter, who did not want to be named, said: “Indian companies are the worst. I personally found bugs in large financial services firmswhere I am also a customer. When I informed them, all I got was intimidation about accessing the system though they fixed the bugs I pointed out. In another instance, a fintech company threatened me for just pointing it out. A lot of Indian companies do not even respond 75 percent of the time.”

Prasad T, Chief Information Security Officer, InstaSafe, concurred that corporate India is no better when it comes to payouts. “Companies don’t want to pay,” he says. The Bengaluru-based cybersecurity firm InstaSafe launched SafeHats, a bug bounty platform like HackerOne and Bugcrowd, a couple of years back. However, the uptick from the Indian user crowd hasn’t been great. It has close to 130 customers.

While companies are aware and are stepping up their cybersecurity spending, most are still reluctant to open up to white hats (ethical hackers). “People are okay with cybersecurity professionals like us testing the platform but not bounty hunters due to the lack of trust,” he said.

Anant Prakash, a former bug bounty hunter and CEO, AppSecure Security, a cybersecurity platform, explained that one of the reasons companies hesitate to open up their systems to outsider hackers was the lack of trust in what the white hats would do to their system.

Bhati said that while allowing white hats access might be a concern, it is better than not opening up at all. “Security is a combination of external and internal factors. While opening up might invite bad players as some companies fear, black hats can still attack. It is a risk the companies will have to take,” he added.

According to the hackers, while a company might have a strong security team, there are only so many scenarios the team can control. At a time when security attacks are more sophisticated, bug bounties are essential, the hackers said.

The dark side of bug bounties

Akhil George, quoted earlier, estimates that if there is a community of 10,000 hackers in India, 10 percent could be full-time bug bounty hunters, whereas the others do it part time. Jain, who won a $100,000 Apple bounty, estimates that the number of full-time bug bounty hunters could be 50-60 as many do not prefer to do it full–time.

The reason is clear. “This is hard as it is not a 9-5 job. Burnouts are common since there is no guaranteed salary. There are weeks when you might not find a single bug and that could cause stress,” George added.

Hivarekar, who was cited earlier, left full-time bug bounty hunting last year, when the stress became too much. “The whole process is stressful.” This is how the process goes. After finding the bug, it is communicated with the company and everything is explained in detail. Then the process goes on for weeks as the firm looks at it to make sure it is legitimate. While the response for critical bugs is quick, others could take weeks or months, or even get no response at all, making the whole process stressful.

“So I am no longer just doing bug bounty and have moved on to penetration testing,” Hivarekar says. Now, he hunts for bugs once every couple of months.

Jain, who used to be a full-time bug bounty hunter, explains: “Working as a full-time bug bounty hunter is tough. I have to set targets per month and work towards them. This is a risky profession since there is no set salary per month and stressful since you are not sure if you will find a bug or not, or if you did, if you will get paid for it. You will also have to argue with companies for the bugs. But these are worth it,” he added.

Also the competition has increased with many people joining. “You have to keep yourself updated as the cybersecurity landscape is changing. You need to keep abreast of technology and continue automating the scripts to stay ahead of the competition.”

While the going has been good so far for Jain, he started looking for full-time jobs a few months back and is now employed as a senior security engineer. “When you are a hacker you are always on the offensive. Working for a company you are on the other side, the defence, and that comes with its own learning,” Jain added.
Swathi Moorthy
first published: Aug 23, 2021 11:09 am

stay updated

Get Daily News on your Browser
Sections
ISO 27001 - BSI Assurance Mark