Bug Bounty Hunters and the Companies That Pay Them

Could you make a living hacking websites? Facebook has paid out more than $4.3 million (roughly Rs. 28.6 crores) to over 800 researchers around the world since the inception of its bug bounty programme in 2011. Interestingly, India fields the largest number of participating security researchers with an average payout of $1,780 (roughly Rs. 1.18 lakh). The social network recently awarded $15,000 (roughly Rs. 10 lakh) to Anand Prakash, a 22-year old Indian white-hat hacker who works as a security analyst at Flipkart. Some individual researchers have already earned more than $100,000 (roughly Rs. 67 lakh) through the program, Facebook says.

When you think of hackers, you probably think about Anonymous or Wikileaks, or cyber-attacks on banks. But these headline grabbers are only one part of the story. There's another side, a quieter side that doesn't really get featured in the news as much. But the reality is that today, most major companies have bug bounty programs that pay big bucks to "white hat" hackers - hackers who will find flaws and weaknesses, and instead of exploiting them, warn the companies to fix the flaws.

HackerOne serves as a global watering hole for hackers and security researchers, says Abhishek Anand, Co-Founder of Bengaluru-based security startup Fallible. The San-Francisco based platform boasts of payouts worth $6.56 million (roughly Rs. 43 crore) made to hackers for finding bugs and reporting them to the companies listed on its site, which includes the likes of Yahoo, Twitter, Adobe, Square, Slack and Dropbox. Its Hacktivity page keeps a realtime log of disclosed bounties, and a leaderboard of top ranked white-hat hackers.

Who pays, and how much?
Some, but not all, of the largest internet and software companies now have rewards programs for bug reporting. Amongst the most prominent firms, only Amazon and Apple don't make any payouts. Others including Microsoft, Facebook and Google are more open handed. Bugcrowd maintains a list of websites that have a rewards program.

Facebook, Microsoft, and HackerOne were also sponsors of the Internet Bug Bounty programme in 2013, with handsome payouts made for vulnerabilities found in open source software like Perl, PHP, and Python. A vulnerability in the GNU Bash Unix shell saw a payout of $20,000 (roughly Rs. 13.3 lakh) made to Stéphane Chazelas, a Unix/ Linux and telecom specialist, for discovering the Shellshock bug in September 2014. Google also has a bug bounty programme which rewards qualifying bugs anywhere between $100 to $20,000 (roughly Rs. 6,700 to Rs. 13.5 lakh), based on the severity of the bug.

And it's not just tech companies who are willing to pay in cash or kind - United Airlines provides a maximum payout of a million air miles for a high severity bug, which translates to 64 round trips from Mumbai to New York.

In India, well-capitalised startups have also launched bounty programs though these seem to be more of a token or ceremonial gesture. Food discovery platform Zomato has received over 55 reports on HackerOne, though there were no payouts made to the researchers. Ola's bug bounty program pays a minimum of Rs. 1,000 for bugs discovered, but doesn't mention what the maximum payout is, and hasn't published details of payouts made so far. The same is the case with Paytm, whose bug bounty program thanks a dozen odd hackers, but is silent on the subject of payouts. Emails to both the companies yielded no clear response on payouts made so far. Fallible's Anand says that it received Rs. 65,000 for a bug found with Ola, and counts Grofers and Healthkart amongst clients. "In 2012, there were only 20 startups that raised over a million dollars, in 2015 there were over 200. India has tipped that point where it can support an ecosystem of hackers," he says.

(Also read: New Product Security Index Reveals India's Most and Least Secure Startups)

Pranav Hivarekar, a Pune-based security researcher pursuing his bachelor's degree in computer engineering, says he has disclosed over 80 bugs so far and received bounties from Facebook, Twitter, and Google. Indian websites don't acknowledge vulnerabilities as freely as US companies do, he says, adding that he wasn't aware of any Indians startups that were paying security researchers.

Archita Aparajita, a Senior Software Engineer in Philips Healthcare says that she got interested in the stream after attending an ethical hacking workshop at her college. "One of my professors in the college insisted that I attend the workshop. It was a two day long workshop and I was highly inspired by the workshop. Since then I got involved in this field," she says. Her bounty rewards range from $500-$1,000 (roughly between Rs. 33,500 and Rs. 67,000 rupees) , she says. It's not really money that motivates her. "There are many factors for which I do bug bounty. Sometimes it is money, sometimes for nice goodies or reputation. However the most important thing for which I do bounty, is to improve my skill set. It's practice. The more you do bounty the more it improves your skills," she says.

"There are many security conferences in India which is done once in a year, like nullcon, c0c0n, Defcon. In many cities there is an active open community called 'null' , where infosec people gather once in week or month, and share their knowledge," Aparajita adds.

"Before writing code myself, I want to understand why they have written something a particular way," says Vivek Bansal, a software developer who has earned a $2,000 (roughly Rs. 1.3 lakhs) payout from Facebook. Bansal has worked many stints as a developer in Indian Internet startups and thinks bug bounties help the entire industry. "I want to find out how well they implemented it, and examine loopholes in their thought process," he says. "Every startup has a mobile app, in 60-70 percent of these apps, they have their payments, user data, profiles, and sensitive things like that. 85 percent of the apps are defective, and have loopholes in their servers and APIs. I like to point out these loopholes, to help these companies out," Bansal adds.

Most of these bug bounty hunters we reached out to are either students, or work as software or security engineers, and seem to have a great deal of curiosity about finding out how software works.

"My work days are not planned. However, every day after office I spend some time in reading security news, Twitter updates and checking if any good bounties are around." says Aparajita, who spends her weekends working on mobile application security and bug bounty hunts.

To find out the bugs in the APIs, Bansal uses Fiddler, Wireshark, and MITM. Hivarekar recommends learning about security by reading the Web Application Hacker's Handbook. "It provides in depth explanation on what tools to use and how to pentest (penetration test) websites. Personally, I use Burp Suite and Chrome developers tools to monitor requests," he says, adding that he also uses a few self-coded tools.

Bug bounty ethics
Facebook's biggest payout so far seems to be the $33,500 (roughly Rs. 22 lakhs) it awarded Reginaldo Silva for discovering an XML external entities attack. While that may sound substantial, it's a far cry from the million dollar payouts that were promised back in 2012.

Wesley Wineberg, a security researcher at US-based Synack, discovered a series of vulnerabilities to gain access to sensitive information stored on Instagram servers and disclosed them to Facebook, also felt shortchanged when he only got a $2,500 (Rs. 1.6 lakh) reward for it. He eventually wrote up an acrimonious blog post in which he recounts about how Facebook took things up with his employer even though he had used his personal email address to submit the bug.

Alex Stamos, CSO at Facebook, in turn responded with a detailed account of events from his end - "I told Jay Kaplan [CEO at Cynack] that we couldn't allow Wes [Wineburg] to set a precedent that anybody can exfiltrate unnecessary amounts of data and call it a part of legitimate bug research, and that I wanted to keep this out of the hands of the lawyers on both sides," he says.

Bug bounty jobs does seem like laborious work, and currency exchange rates seem to determine what's a worthy payout - security researchers from India, Egypt, and Trinidad and Tobago received the highest number of payouts from Facebook in 2015.

"Sometimes, some companies do short-change and pay less than expected. But on the other hand, some reputed bug bounty programs run by Facebook, Google, and Twitter reward you more for finding huge vulnerabilities," says Hivarekar.