Warding off hackers: Bug bounty hunters working to keep firms cyber secure

Bug bounty hunters are certified cybersecurity professionals or security researchers, who crawl the web, scanning the systems for gaps through which hackers can sneak in and alert the companies

Take any security research report and you will find India topping the list of data breaches and cyberattacks. In February 2021 — almost a year since the pandemic landed on Indian shores — there were 377.5 million brute-force attacks globally. India accounted for 9.04 million of those. The total number of cyberattacks recorded in India during January and February 2021 was around 15 million, according to a Kaspersky report.

While many of the companies targeted had robust technology in place to prevent such incidents or mitigate their risk, security experts say the recent spate of data breaches is not just about technology. “In our world, we say security has three components: People, process and technology. While everyone is focusing on the tech part, there is very little importance given to people and the awareness of security,” says Sandeep Sengupta, managing director of Kolkata-headquartered Indian School of Ethical Hacking (ISOEH).

This is where an army of independent ethical hackers — also called “bug bounty hunters” — comes in. Many of them are certified cybersecurity professionals or security researchers. They crawl the web, scanning the systems for gaps through which hackers can sneak in and alert the companies. In return, they are rewarded with cash or kind.

Not leaving it to chance for such gaps to be discovered, some companies now actively employ the services for bug bounty hunters.

Online brokerage firm Zerodha is one of them. Its Chief Technical Officer Kailash Nadh says in-house teams alone cannot make the system fully secure. 

“Having ethical hackers or security engineers is essential. Though we have an internal security team, we also have a bug bounty programme and employ external white-hat (ethical) hackers to regularly test our systems from the outside,” says Nadh.

“We have so far managed to stave off serious cyberattacks.”
 

This happened with Upstox, a leading player in the stockbroking segment and Zerodha’s competitor. A breach had targeted the data of some 2.5 million of its customers. The retail broking firm had then immediately alerted the customers while assuring them that their funds and securities were safe.

Sourajeet Majumder, a Class XII student, is a part-time bug bounty hunter. In his spare time, he crawls through company websites to find vulnerabilities and report them. In return, he either gets paid in cash or is rewarded in kind (with t-shirts or bags etc). He recently found a vulnerability in West Bengal’s health ministry website. Had the bug not been fixed, data of over 8 million people could have been leaked on the dark web.

Majumder started out hunting bugs for large corporations as a pass-time. He found his first bug in the social media microblogging website Tumblr, for which he was paid Rs 15,000. “I have found vulnerabilities in many of the government sites, too, and I try to report them to the people concerned,” he says.
 

Bug bounty programme is well-known in the US and Europe. Started in 1983, it caught on after 2013 when companies like Facebook, Yahoo, Google started to leverage it. US and India are now among the top countries from where researchers submit bugs.

Anand Prakash, founder of PingSafe, a Bengaluru-based cybersecurity company, is counted among the world’s leading bug bounty hunters. He says one reason for a spike in data breaches in India is the rise of the unicorns and the start-up ecosystem.

“India is suddenly in news for the rising numbers of unicorns, so cyber criminals have their eye on it,” he says, adding, “If you see some of the latest hacks, they are all in new-generation firms like BigBasket, Upstox, Domino’s etc.”
 

The first security bug that Prakash spotted was in Facebook. He has since been rewarded and acknowledged by Facebook, Twitter, Google, Red Hat, Dropbox, Adobe and others. “Most companies say they are 100 per cent secure; that's far from reality,” he says. Cybersecurity cannot be managed by just a handful of people. “In that sense, having a bounty programme is useful.”

The challenge, however, is that even today few companies understand or acknowledge the work that these ethical hackers do. “India has a peculiar situation. When we find and report a bug/vulnerability to a company, we are often treated as black-hat (unethical) hackers and they take legal action against us,” says Prakash.
 

A recent example is when security researcher Rajshekhar Rajaharia posted what he said were the details of MobiKwik user data available on the dark web. While the company denied the breach, Twitter temporarily blocked Rajaharia’s account.

Prakash has had a similar experience as a bug hunter when an Indian company took legal action against him for letting them know that there was a vulnerability. “They said, ‘Why were you checking our systems?’.”

Also, Indian bug hunters who are globally rewarded for finding vulnerabilities are poorly paid in their own country. “In India, a billion-dollar company will pay just about a few thousand rupees. Some bug hunters get disillusioned and take advantage of the information they have,” says Prakash.

Sengupta of ISOEH points to the demand-supply gap. “According to a Nasscom survey, India needs 500,000 ethical hackers in the next five years,” he says, adding that currently it has barely 70,000.

Dipesh Kaura, general manager, Kaspersky (South Asia), adds: “In general, data breaches happen due to weaknesses in technology and user behaviour. While enterprises build a robust security infrastructure for their networks, they often fail to protect themselves from the two other equally important aspects: Human error and third party services/providers.”