Ethical hackers in Mumbai, Pune and Bengaluru are making a killing bounty-hunting bugs for tech firms

Sandeep Singh is nursing a chocolate milkshake at a coffee shop. He doesn’t look up from his phone much. He sits, practically folded into himself, taking up very little room and shooting furtive looks across the café. At first glance, Singh appears a tad uncomfortable.

Perhaps it’s because the Kanjurmarg resident spends all his waking hours — usually from 6 pm to 5 am — sitting in a tiny nook he calls his “home office”. Like many hackers, though, Singh comes into his own when he is online. His awkwardness in public camouflages the fact that he is one of the world’s best-known bug bounty hunters — people who find and report online security loopholes in a tech or e-commerce firm’s business, usually in return for a monetary reward. In the last three years Singh has earned thousands of dollars by detecting more than 1,000 bugs. He reports about 30 or 40 vulnerabilities every month, with a personal best of 50 in one day. “I’m not interested in taking up a job,” says the 23-year-old. “I value my freedom too much. Anyway, I earn more from bug hunting than a techie does in a regular job, so why would I ever give this up?”

Bug hunting has become the most money-spinning kind of ethical hacking today, mainly because tech companies are ready to put down big bucks to secure their online operations. Bugs may cause a data breach or leak, or provide a way to either bypass the system (Ahmedabad-based hacker Kanishk Sajnani booked a flight ticket to the US for Re 1, and then repeated the feat on the Mumbai-Ahmedabad sector), or even shut it down entirely. This can result in business losses worth thousands of dollars, along with an irrevocable hit to both reputation and stocks, for globallylisted companies. Once a bug is reported, the hacker or researcher can claim a reward — ranging from a few hundred dollars to several thousand, based on the severity of the problem —while the company moves quickly to ‘patch’ it.
Most companies have clearly-stated payouts; Facebook, for instance, offers a minimum ‘bounty’ of $500 per bug, and may go up to $25,000 or more. While some tech giants have their own bug bounty programmes, in which they invite hackers to penetrate their firewalls and spot anomalies, many of them prefer to post ‘blind challenges’ on portals like HackerOne or Bug Crowd. No company details are revealed, and the challenge is a replica, so that a hacker can’t actually do any real-time damage to the company’s business.

A 2018 report published by HackerOne says Indian hackers make, on an average, 2.7 times more than a software engineer does in a year. And the top hunters can rake in as much as 16 times. Of the 1.6 lakh hackers registered with this US-based portal, the largest number are from India (23 per cent), followed by the US (20 per cent). As of December 2017, some 72,000 vulnerabilities have been reported worldwide, and hackers across the globe have received payouts to the tune of $ 23.5 million. Of this, $1.8 million was won by Indians. A Mumbaibased hacker, who did not want to be identified, claims he makes anywhere between Rs 4 and 6 lakh a month, conservatively speaking. “My friends and family have no idea about the work that I do, or even the money I make,” he says.

Rizwan Sheikh, who heads Mumbai cybersecurity firm Pristine Infosolutions, says bug hunting has become such big game that more and more hackers are making a career of it. “But you may not always find a bug, or get paid for it,” he cautions. “The company may say someone else has already reported it (called duplication), or may downplay the severity and pay you less.” But there’s a pot of gold at the end of the rainbow, if you keep at it, Shaikh adds. According to ethical hacking trainer Pawan Chhabria: “Most bug hunters get frustrated with duplication. Many also can’t distinguish between a vulnerability assessment test and bug bounty hunting.” The former carries no cash prize, but hackers may be rewarded with a ‘Hall of Fame’ certificate, whereby the company acknowledges their skill alongside its own team. In fact companies like Microsoft have been known to offer lucrative jobs to their Hall of Fame candidates. Bug bounty, on the other hand, always comes with a cash reward, no matter how little, says Chhabria.
Bengaluru-based Anand Prakash, 25, has made headlines with the massive bounties he has received from Facebook, Uber and Twitter. In 2015, he won a $15,000 cash prize from Facebook for logging in without an account. He followed this up by booking a free ride on Uber (for which he received a payout of $5,000) and hacked into the dating app Tinder, which won him a $4,700 bounty. Between 2014 and 2017, Prakash was ranked among the Top 5 bug hunters on Facebook, and holds the No 4 position on both Twitter and Uber. Prakash, who began his career as a security engineer at Flipkart in 2014, now has his own agency called Appsecure. “My primary work at Flipkart was to protect the company’s customer database and payment options. I realised, then, that while companies abroad have their systems in place, Indian ones don’t at all.” Prakash and his team have now created their own tools and his pitch — ‘I will find your loopholes’ — has snagged him a lot of projects.

When Pranav Hivarekar moved back to India from the US four years ago, it was because of family reasons and, oddly, better opportunities here. “I was offered several good jobs in the US, including from Facebook, but I realised I could do the same work as a freelancer from India,” says the 23-year-Pune resident. Hivarekar, who is also a security auditor and mobile app testing consultant, gets paid “by the bug”. With projects not lasting more than two or four weeks, the No 4 bug hunter on Facebook is also able to make time to conduct online and offline training programmes. “That bug bounty hunting is becoming very big now is clear from newer platforms opening up,” says Hivarekar.
In India, except for a handful of e-commerce entities like Ola, Paytm and Zomato, most companies don’t have a bug bounty programme. Zomato reportedly learnt the hard way when in 2017, a major security breach led to 17 million email IDs and passwords being stolen by a hacker, who also reported it. According to Zomato’s security lead Prateek Tiwari, the company has had a bug bounty programme since February 2016, but added the rewards component only in July 2017. “Our security and engineering teams have grown and matured so much through this process,” says Tiwari. For severe bugs relating to user information and such, Zomato offers a bounty of $1,000, and plans to increase that soon.

Shadab Siddiqui, Head of Security, Ola, who claims that the ride-sharing company was the first to institute a bug bounty programme in 2015 says: Depending on the severity, impact and complexity of the vulnerability reported, researchers can win cash or exciting goodies like smartwatches, smart TVs, tablets or smartphones as well.” Hacker Latish Khan, who found five breaches on the US Department of Defence site and reported it, says Indian companies are still highly suspicious of hackers, and don’t understand the value of bug bounty programmes. “When I wrote to the Department of Defence, they gave me multiple Hall of Fame citations,” he says. “But in India, if I reported a bug in a bank’s or a company’s operations, I would be rewarded with a jail term."