Companies worldwide are using every trick up their sleeves when it comes to cybersecurity. But regardless of how robust and stringent companies’ security checks are, they quite often find themselves outnumbered by a swarm of malicious hackers worldwide. This is where bug bounty hunters come in.
Today, traditional testing has become a passé. A sea of tech companies run their own public bug bounty programs or make use of third-party crowdsourced security platforms to hire independent security researchers (or the “white hat” hackers) for testing their web, mobile, source code, and client-side applications.
In an age of a hostile internet environment, freelance bug bounty gigs are increasingly catching the fancy of a legion of code-testing geeks. Rewards scale according to the severity of each discovered issue and how hard it is to find them.
It works this way—you detect a vulnerability (more commonly called a “bug”), report it (or even fix it if you can), earn mouth-watering rewards, and sign off with some freshly-earned swag.
Bug bounty hunting started as early as 1995 by Netscape. Today, many big tech companies run their own bug bounty programs, like Facebook, Google, Microsoft, Mozilla, Uber, Yahoo, etc., that easily pay between US $500 and $1,000 per qualified hole found.
Google pays up to US $20,000 for the crawliest of bugs. Others pay even more.
Read more to know how bug bounty hunting is becoming a craze as companies realize how important it is to have a friendly army of hackers handy, and how so many have made it big by choosing to become professional bug bounty hunters.
This post highlights some of the best ethical hacker stories coming from the newest kids on the block who have been recognized for their immensely rewarded contributions that are not just shotgun noises (people have been reporting invalid bugs to climb higher in the Hall of Fame entries, which notoriously gives more importance to submissions over actual rewards).
Jobert Abma, Cofounder of HackerOne
Photograph courtesy of Business Insider.
25-year-old Jobert Abma has been breaking into computers with his co-founder friend, Michiel Prins since he was 13. Their first break came at their alma mater, Hanze University of Applied Sciences in the Netherlands, where they successfully reported a hole in the software that managed homework assignments and grades. After this, they practically ended working and studying at the University, besides, earning $10,000 a day, split between the two of them. They later moved to San Francisco and cofounded HackerOne along with Alex Rice, the former head of product security at Facebook.
HackerOne’s “big bounty” program invites companies to challenge its employees (read qualified safe hackers) to attack them and pay fees based on the hole detected. The scarier the hole, the bigger the fee. (HackerOne takes a 20% cut.) Since 2012, HackerOne has earned US $7 million in bug bounty payments.
The idea is to put hackers on the company’s payroll so they can find problems before the bad guys do.
According to Abma, most of the bug bounty hunters have a normal day job, they generally work for tech companies as either computer engineers or do computer security. Bug bounty hunting is taken as a challenge, plus it works as good additional income.
“We’re normal people and hackers are super important to the future of the internet,” says Abma.
Like HackerOne, there are other third-party platforms, such as Bug Crowd, Cobalt (formerly CrowdSecurity), Synack, etc., that are attracting hackers to the latest challenge.
Anand Prakash, Security Engineer at Flipkart
Photograph courtesy of LinkedIn.
All of 22, Bangalore-based Anand Prakash has made close to US $200,000 in bug bounty (a big deal in his home country, India) before being scooped up to work as a full-time security engineer with Flipkart. His parents were aware of their prodigal son’s geniuses since he was little (eighth grade). One of his first hacks (though not very ethical) helped him enjoy his home’s Internet connection for free. At first, the Internet service provider detected something fishy and warned his parents about a virus. His parents responded, “It’s not a virus, it’s our son.”
Anand went on to do Computer Science Engineering at Vellore Institute of Technology, India, where he managed to hack through the WiFi system at his college too. “I used to sit in the library and listen in to WiFi connections. We had a limit of 3 GB a month for every student. And since usernames and passwords were in plain text, I had ones for many accounts. People came to me for them when their data limit got over. I never misused them, though.” Anand says.
In 2011, Anand came across Facebook’s bug bounty program, where to his dismay, network intrusion tools failed in the face of discovering vulnerabilities within the web. He took it upon himself to get to the core of it anyhow. He eventually helped detect a bug on Facebook that could be used to access a user’s account to get credit or debit card details, personal pictures, and messages.
With a repertoire of having reported close to 90 bugs for Facebook and 30 for Twitter, he is one of the most sought after “white hat hackers” in the world today. Cybercrime branch of Gurgaon police came knocking at his door for solving cases of online abuse. Besides, he has also reported bugs to Google, RedHat, PayPal, Dropbox, Adobe, SoundCloud, etc.
Expressing concern over the lack of security in Indian companies, Anand says, “A majority of Indian startups don’t care about security. An example is the Zomato hack, where one could see the personal data of 63 million users. A company should never compromise with user data and should have adequate security measures to avoid such breaches.”
Twitter had ranked him second in the world and first in India for the highest number of bugs reported. He was also ranked fourth on the Facebook wall of fame 2015.
Vishnu Vardhan Reddy, Top Hacker with Bugcrowd
Photograph courtesy of Bugcrowd.
All of 20, Vishnu Reddy, a mechanical engineering student, took up ethical hacking after being lured by the concept of bug bounties. Driven by curiosity, he started learning the tricks of the trade all by himself and practiced them on Bugcrowd’s Kudos only programs, as a way of getting experience on real web sites. He eventually got really good at it and rose in the ranks of hackers in no time—a tremendous feat for a person from a non-IT background.
Vishnu says, “It’s been around 1.5 years that I started bug hunting. To be exact, I got my first bounty from Tesla motors (hosted on Bugcrowd) on June 5th, 2015. I generally look for bugs like XSS, CSRF, IDOR, authentication bypass, and business logic bugs.”
According to Bugcrowd’s Second Annual State of Bug Bounty Report, researchers from 112 countries make up their current pool of hackers; India is ranked first when it comes to the volume of submissions and the rewards paid out, this is followed by the United States in terms of submissions, and notably Portugal for payout volume when the country does not even make it to the top ten submitting regions by total volume.
85% of Bugcrowd researchers participate in bug bounty programs as a hobby or view it as a part-time job. Besides, bug bounty has risen to 47% in the last 12 months.
Arun S Kumar, Independent Security Researcher
Image courtesy of India Times.
Yet another 20-year-old engineering student is making waves with his bug finding hacks. Hailing from the sleepy town of Kollam in Kerala, India, Arun recently visited Facebook’s headquarters in California and was paid US $16,000 dollars for detecting a bug named Full Account Takeover, which allows anyone easy trespass into other people’s Facebook accounts without their knowledge or approval.
He reported the bug to the Facebook security team on August 29. In April this year, he had found another vulnerability, for which he received US $10,000. Apart from this, he has spotted bugs in other web sites, including Google and has till date received a total of $50,000 in bug bounty in the past three years.
And Arun does not hope to stop just here, “I hope to be hired by them later.”
Cyber security has become an integral part of our lives, we can no longer take it for granted. It is no longer just security, it is defense.