The recent Wannacry global ransomware attack, and closer to home, the Zomato user data breach, where millions of user logins were compromised, have forced all of us to be much more conscious of digital security. A key part of this ecosystem is the community of ethical hackers, also called bug bounty hunters, these are people who work with companies to patch security flaws. While big bounty program have been standards worldwide for several years, Indian companies like Zomato are only now following suit.
A bug bounty program is a vulnerability reward program instituted by corporates for ethical hackers. Hackers report bugs and vulnerabilities of websites or apps from corporates, who, in turn, recognise and compensate these hackers. Gadgets 360 spoke to a couple of ethical hackers told us that that they normally try and work with foreign companies, who are more open to paying bounties, and offer richer rewards to boot, when compared to their Indian counterparts.
Manish Bhattacharya, an ethical hacker born and raised in Bihar, said he paid off his educational loan through bug bounty programs from Facebook, GitHub, Shopify, and others. Some years ago, he had reported two clickjacking issues for Facebook - where a real link gets replaced by a malicious one, which could serve ads, or even malware. For this, he was paid $5,000 (over Rs. 3.22 lakhs today) by Facebook.
Anand Prakash has his own cyber-security startup, called AppSecure India, based out of Bengaluru. He is on Facebook’s ‘White Hat Bug Bounty Program’, which recognises and rewards security researchers who report vulnerabilities in Facebook's services. In 2016, he has also found a bug in Uber that could let any hacker take multiple rides without paying for them. Uber gave him $5,000 in return.
For Bhattacharya, bug bounty hunting has been, well, bountiful. He now works for a security firm in the United States. Prakash is on the list of Forbes Asia’s 30 under 30 (2017) and runs his security audit firm.
The ethics of bug bounties
Many companies such as Microsoft, Facebook, and Google are openhanded to bug bounty hunters. Bugcrowd maintains a list of websites that have a rewards program. But it's important to remember that there are a bunch of rules that define what is ethical hacking.
"The difference [between ethical hacking and unethical hacking] lies primarily in the intent. and access rights," says Amit Sethi, Chief Information Officer, AXIS Bank. "One is authorised and the other is unauthorised. Technology-wise there’s no difference per se."
Bhattacharya and Prakash also agree with the corporate ethical code.
"If I have permission from the company to test their website or they have a bug bounty program then only I'll go for bug hunting," says Bhattacharya. "I'll never test any government/ bank website without their written permission."
"Hackers exploiting bugs and leaking user data is unethical. Recent Zomato hack was a perfect example of an unethical hack," adds Prakash. "The hacker should not have forced the company to run a bounty program by leaking their data.”
The argument could be made that the hacker pushed the company to improve its security and institute a program that will only help users - but in the process, the data of millions of users was up for sale, as Prakash points out.
Indian companies don't like to talk about vulnerabilities
As the hackers we spoke to mentioned, Indian companies aren't typically welcoming of their efforts. Uber told Gadgets 360 that it has paid more than $860,000 - approximately Rs. 5.5 crore - in the last year to security researchers around the world. Of this, there were six researchers from India in Uber's top 50 list. India topped Facebook's bug bounty list last year, but things are very different when you look at Indian companies.
Global players award Indian hackers consistently, says Sandeep Sharma, a research analyst for IDC. "But, when it comes to Indian corporates, the picture isn’t as rosy,” Sharma explains. "Indian enterprises still have a long way to go as far as proactive security implementations are concerned."
Why haven’t Indian corporates been encouraging when it comes to bug bounty programs? Startups we approached refused to be a part of this story. According to reports, Snapdeal, Ola, and Swiggy all have private bug-bounty programs, but none of these companies wanted to talk about why bug bounty hunters don't get due credit in India.
Swiggy CTO and co-founder Rahul Jaimani instead pointed out that the company encourages bug bounties, as long as it's done in an ethical manner, and ties up with credible third-party bug bounty platforms on an invite only basis. He added that Swiggy supports ethical hacking, as long as the researchers comply with Swiggy's ethical and responsible disclosure norms. He also added that the terms and conditions of the website and app mention that unethical techniques used against the system are liable under the cyber security law, as per the IPC and Information Technology Act.
We asked Zomato the same question too, but the company wasn't available for comment. Zomato had a bug bounty program on HackerOne for a while and after the recent Zomato hack, its CEO Deepinder Goyal tweeted, “Had never offered money as part of the program. That’s what’s going to change now.”
This attitude is a problem as far as most bug bounty hunters are concerned - apart from money, recognition is a big driver as it helps to build a career in ethical hacking, explains Bhattacharya.
"Right now, India is full of startups, most of them don’t have - or they don’t want to spend - extra budget to hire a full-time security guy," he says. "Most companies don’t trust an independent individual with their security; they prefer a security firm instead. Few startups like Ola, Paytm have bug bounty. But, their rewards don’t match the international standards, so bug hunters don’t spend time with these programs."
Change remains slow
Axis Bank has an Innovation Lab that experiments with bug bounty. "It would be an incremental step in our efforts towards robust and secure software development and testing," says Axis' Sethi. In India, banking and financial service firms have been proactive about security solutions, adds AppSecure's Prakash, who also told us that his security firm saw a sudden surge of fin-tech corporate customers, after WannaCry and the Zomato hacks.
However, both Bhattacharya and Prakash say that the industry has largely been slow to react, even after high profile attacks on their infrastructure.