Bug bounty hunters, or the morally sophisticated hackers, are those who look for vulnerabilities in software systems only to report them responsibly to the concerned organizations. Bug bounty hunters help companies find about the vulnerabilities in their applications before hackers can exploit them.

By that means, bug bounty programs are a win-win between companies and white hat hackers. Bug bounty hacking has gone from a past-time activity to an emerging occupation. Businesses are getting more and more serious about the security of their software services and are actively encouraging bug bounty hunters to check and test their offerings.

The Good and the Bad of Bug Bounty Hunting

Beyond being a shiny occupation, bug bounty hunting takes real sweat and toil. Experienced bug bounty hunter Nikhil Mittal says the stream has a lot of scope, but the wages fluctuate a lot. At one time, you could be lucky to earn a lot, while still trying to make ends meet at a different time. He reveals that duplicate bugs are a major source of disappointment and hog important hours for bounty hunters.

The toughest task, Nikhil says, is when he reports a bug to a company, they deny it, and then silently fix it. Nikhil adds that he has had to remind such companies multiple times to pay him his due.

However, he had some pretty huge wins in his basket. Nikhil says besides the amount of money he has earned following his passion, he was once offered a full-time job in a reputed company for whom he reported a few bugs. He says he was taken aback by their gesture!

Companies in India and abroad that allow users to perform financial transactions are rapidly installing bug bounty programs. Given the number of data breaches that took place in 2018 alone, we are not shocked to see companies getting real with their security practices.

Coming Trends in Bug Bounty Hunting

Famed bug bounty hunter Sandeep Singh aka Geekboy talks about the trends he sees coming for companies and bug bounty programs. Sandeep believes bug bounty industry is going to be more noisy and visible in the years to come, as an increasing number of hackers are joining the community and an ever increasing number of companies are getting serious about security.

There is a huge demand for ethical hackers as businesses roll out bug bounty programs with vast sums of rewards. However, there still seems to be a gap in the skills of security professionals and the demands of this occupation.

Sandeep says bug bounty hunters need to continually stay on top of trends and technologies, so they can be the first ones to discover vulnerabilities in cutting-edge solutions based on IoT, smart contracts, hardware, etc. There is an urgent need for expert security professionals to up their game and stay ahead of hackers with malicious intentions.

Upskilling of security enthusiasts is also a win-win for them and companies looking for them.

Companies with Successful Bug Bounty Programs in India

Three years back when Ola was hacked, compromising the data of millions of users, they created India’s first full-fledged bug bounty program to encourage independent security researchers to help them create a safe platform.

The company now offers up to 3,00,000 INR for security loopholes such as injections, server-side issues, client-side issues, and other valid security vulnerabilities. Apart from that, Ola promises goodies to hackers to help find significant security flaws. What’s more, Ola even honors security researchers who collaborate with them to resolve bugs on their Hall of Fame page.

Ola has seen success with its program. Security research bloggers from Fallible say Ola awarded them with $1000 in bounty and some electronic goodies for reporting vulnerabilities in one of their apps. The researchers also claim Ola took around 2 months to fix their reported bug.

McDonalds India (West and South) runs a bug bounty program in India for its web and mobile apps for McDelivery. In 2017, researchers from Fallible discovered a huge vulnerability in their app. They found it was possible for hackers to dump the data of 2.2 million users by exploiting a flaw.

After reporting the vulnerability to McDonalds India, the Fallible researchers published a blog saying the leaked information could potentially contain users’ names, phone numbers, email addresses, social proofs, and residential addresses. However, the security researchers’ continuous emails to McDonalds India went unnoticed.

Due to the lack of stringent security policies in India, some companies take data security for granted.

Paytm is another company running a bug bounty program in India. Avinash Jain, an independent security researcher found a vulnerability in Paytm’s electricity bill payment service. Through a series of steps, he could dump the data of users, including their name, address, electricity bill amount, and date of birth. Avinash reported this vulnerability to Paytm in Nov 2017. Paytm fixed the bug in Jan 2018 and rewarded Avinash for his efforts the same day.

Later in June the same year, the bug got reopened somehow and Avinash reported and got rewarded again.

If companies are to encourage bug bounty hunters to find and responsibly report flaws in their systems, they need to be serious about their app’s security. There is nothing more off-putting for a bug bounty hunter to discover and report a flaw to a business only for them to ignore it.

As companies need more and more skilled security professionals searching for bugs in their platform, it is in their favor to network with security professionals.

Sandeep reveals bug bounty hunting allows you to be your own boss, and work with freedom and flexibility.

From 2016, nullcon has started a BountyCraft Track. It is a platform where the Bug Bounty Program offering companies (Microsoft, Apple, Google) & crowdsourced security platforms (Bugcrowd, Hackerone, NCC Group, Crowdfense) interact directly with Bug Bounty Hunters. They give insights on top bugs of the year, hacking methodologies, private bug bounties, etc.

Checkout BountyCraft Track speakers for nullcon Goa 2019, here.

- Written by Divya Agrawal & Edited by Pratik Ghumade for nullcon