dna Special: Indians are world's top bug bounty hunters

MR Vignesh Kumar, a resident of Nagercoil in Tamil Nadu, has just graduated in engineering, but he has already earned around $15,000-$20,000 in the last one year working for Adobe, Google and other companies.

No, he has not got a job with the IT majors; he has merely exposed vulnerabilities in their systems and products as a bug bounty hunter — as these white-hat or ethical hackers are called who test security systems in websites, applications or operating systems and expose loopholes, or bugs in them.

“I have been doing this in my free time for the past one year. I detected and then reported several vulnerabilities to Nokia as well and got Lumia smartphones from them,” said Kumar.

"Bug bounty hunters" are a fast growing tribe across the world as corporations realise that they are a cost effective way to fix loopholes in their systems before they're exploited.

India, which has the second largest number of bug hunters in the world, is right on top of this trend. It is also the country with the second-fastest-growing number of bounty recipients; the US tops the list, and India is followed by Turkey, Israel, Canada, Germany and Pakistan.

“The Indian hacking community is among the top 3 bug bounty hunters in the world," Dinesh O Bareja, noted cyber security expert of the Open Security Alliance, told dna. There are 250-300 hackers working across India, he said. “The most encouraging trend is that a lot of these hunters are coming from tier2 and 3 cities like Ranchi, Udaipur, Nagpur and Lucknow."

A majority of bounty hunters are students and young professionals who do this in their off hours, but a few also work full time as cyber-security researchers. On an average, bug hunters make around $1,000 for every 'bug' or vulnerability found, which can go up to to $4,000–5,000 per 2-3 vulnerabilities. But there are many experts who earn Rs 10-15 lakh ($15,000-20,000) a year from bug hunting alone.

Facebook recently revealed that it paid more than $1 million in bounties to security researchers, with India ranking number two in the list of recipients. Google also recently set aside a separate budget of $2 million for such experts.

Some bug hunters have even got full-time jobs with firms like Facebook. Many have even become famous with big firms like Adobe, Facebook, Twitter, Apple, and Google acknowledging their work publicly and displaying them prominently on their ‘Wall of Fame”.

While Indian bug hunters make good money “all of it is coming from companies in the West like Google, Ebay, Paypal and Facebook” said Bareja. This is because neither the government nor the private sector in India makes use of bug bounty hunters, say cyber-security experts, relying instead on security consultancies to protect their systems.

“The bug bounty programme is the best way to stamp out bugs in products or infrastructure since it brings together thousands of minds and is preferable to paying millions of dollars to a security team of ten,” said Mohit Kumar, a cyber security expert and one of the organisers of the recently concluded “The Hackers Conference 2013” in the national capital.

Echoing his views, Bareja tore into the recently announced National Cyber Security Policy for being a “paper” tiger. “We have thousands of young and talented boys and girls but due to the government's myopia, their potential is wasted. The policy talks about 5,00,000 cyber-security professionals in India in the next three years. But no one in the government seems to have an idea where will they come from and how will they be used,” Bareja added.

Private companies, experts feel, are no better because they seldom acknowledge vulnerabilities in their systems as they feel it is not good for their image.

But some government sectors seem to be starting to see the merit of using bounty hunters . Recently, an Indian security agency got a job executed within 48 hours for Rs 50,000 only – most cyber-security consultants would have taken a week and at least Rs5 lakh for the same.

Experts say that most enterprises in India remain vulnerable to cyber attacks because they are ignorant of these. Mohit Kumar said that while he and others in the field detect over 100 cyber attacks on Indian websites and companies daily, according to CERT-IN (the Indian Computer Emergency Response Team, the government's cyber-security body) there are that many attacks only in 6 months.