Bug bounty hunters make a killing as new-tech vulnerabilities
The world bug bounty economy was worth $23.5 million between May 2018 and April 2019. And Indians finished second to Americans to take home $2.3 million, or 10%, of that, according to HackerOne, a bug bounty platform. Bug bounty hunters — or White Hat hackers, as they are also called — detect and report vulnerabilities in software programs. They do it legally, and they earn a reward from the software owner. The vulnerability could be a weak password or a bug in the software that causes it to crash or produce invalid results or makes it easy for a third party to illegally access it.
Anand Prakash is one of India’s leading bug bounty hunters. He says he has earned Rs 2.5 crore through bounty programs. He hacked for the first time when a friend challenged him to hack into his Orkut account. It was 2008, and Prakash was then preparing for IIT-JEE in Kota. Prakash didn’t crack JEE, but he succeeded in hacking into his friend’s account.
He is today on Facebook and Twitter’s hall of fame. In 2017, he found a bug on Twitter that allowed him to tweet from any Twitter account. He reported the bug and Twitter fixed the flaw immediately. Prakash is ranked among the top bug bounty hunters on Uber. “On a weekend, I opened the Uber app and spotted account-takeover vulnerabilities.”
Chennai-based security researcher Laxman Muthiyah found a vulnerability on Instagram that allowed him to hack any account without permission. The Facebook and Instagram security team fixed the issue and he won a $30,000 bounty.
Also, Read
What is a Bug Bounty Hunting and How to Earn Huge Money from it
Every five minutes, a bug bounty hunter somewhere in the world reports a software vulnerability. The gig econ- omy of bug bounty hunting has recorded a steep growth over the past eight years. New technologies, especially cloud and low-security IoT devices, have massively expanded the horizons for these hunters. “Only bounty hunters can provide cost-effective security solutions,” says Vikash Chaudhary, founder of consultancy HackersEra. He was ranked 51 in Microsoft’s Top 100 security researchers in 2018.
Anand Prakash is one of India’s leading bug bounty hunters. He says he has earned Rs 2.5 crore through bounty programs. He hacked for the first time when a friend challenged him to hack into his Orkut account. It was 2008, and Prakash was then preparing for IIT-JEE in Kota. Prakash didn’t crack JEE, but he succeeded in hacking into his friend’s account.He is today on Facebook and Twitter’s hall of fame. In 2017, he found a bug on Twitter that allowed him to tweet from any Twitter account. He reported the bug and Twitter fixed the flaw immediately. Prakash is ranked among the top bug bounty hunters on Uber. “On a weekend, I opened the Uber app and spotted account-takeover vulnerabilities.”
Chennai-based security researcher Laxman Muthiyah found a vulnerability on Instagram that allowed him to hack any account without permission. The Facebook and Instagram security team fixed the issue and he won a $30,000 bounty.
Every five minutes, a bug bounty hunter somewhere in the world reports a software vulnerability. The gig econ- omy of bug bounty hunting has recorded a steep growth over the past eight years. New technologies, especially cloud and low-security IoT devices, have massively expanded the horizons for these hunters. “Only bounty hunters can provide cost-effective security solutions,” says Vikash Chaudhary, founder of consultancy HackersEra. He was ranked 51 in Microsoft’s Top 100 security researchers in 2018.
Hyderabad-based bug hunter Harsha Vardhan Boppana says there are a variety of vulnerabilities. Some of the common ones are XSS (cross-site scripting, a vulnerability that can be used to bypass access controls), CSRF (cross-site request forgery, which allows unauthorized commands to be transmitted from a user that the web app trusts), and SQL injection (which makes it possible to execute malicious statements to control a database server behind a web app). “Higher vulnerabilities can fetch bounties of $5,000-20,000,” says Boppana.
Organizations like HackerOne and BugCrowd, and non-profit Open Bug Bounty act as a link between the world’s bug hunters and clients who are looking for security solutions. HackerOne, founded in 2012 by two Dutch hackers whose vulnerability reports were initially rejected by big tech firms, now has over 450,000 registered hackers. HackerOne has helped fix over 120,000 vulnerabilities for 1,400 clients, earning hackers more than $62 million in awards.