Bengaluru-based security startup Fallible has launched its Product Security Index, which diagnoses and grades Indian startups by testing them on around 50 security-related parameters for vulnerabilities and bugs.
According to Fallible's Product Security Index, the least secure startups include Ticketnew, Healthcart, Zopnow, Bharat Matrimony, and ShopClues. The most secure products according to the company's rankings are FreeCharge, Urban Ladder, Groupon India, NewsHunt, and Ola. Startups with a below 50 percent rating on the index include unicorns like Zomato, ShopClues, and Quikr.
Abhishek Anand, Co-Founder at Fallible, told Gadgets 360 that the startup has automated around 50 tests, with parameters centred around authentication, HTTP headers, SSL configuration, man in the middle attacks, and payments. "The most common vulnerabilities are around payments, where a bug allows you to place orders for the same amount multiple number of times and pay just once. There are user data leaks, site configuration issues which can be used to bring down the site," He said.
Fallible started its operations three months back, said Co-Founder Manish Kumar, and took the blogging route to raise awareness of the vulnerabilities they found, and make startups more keen to fix them swiftly. The rankings are opaque as they don't list the insecurities publicly. Kumar said this was intentional, as they don't want to disclose security holes to the public, as they would get sued for doing so. "But we know the bugs, and we try to contact them for the fixes. We put out a score so that companies realise there is a problem. Once they reach out to us, we can tell them what the bugs are," he explained.
The founders wrote a blog in October 2015, detailing a list of vulnerabilities in leading Indian startups. "We haven't named the companies, but there's a list of open bugs there. In October, we contacted some 18 companies, out of which 10-12 have fixed their bugs. The rest of them are still open. Around three to four companies did not bother to even acknowledge it," Anand said.
Companies in India are not very keen on giving out bounties like they do in the US, Anand said. Fallible works with startups to audit and fix their security, and then opens it up for the hacker community to point out any potential bugs or vulnerabilities. Fallible's customers include Grofers and Healthkart, the startup also received a bounty of Rs. 65,000 from Ola for pointing out a bug. The team plans to launch a crowd-sourced bug bounty model for hackers on its platform in the future.
Kumar said that users should be careful with startups scoring below 50 on the list. "Whenever you sign up with these them, you give your personal information such as your email, address, personal location to them. If they are not securely kept in the database, they can lead to various kind of criminal things," he said.