India has no shortage of software talent. For proof, look no further than security researcher Anand Prakash, who is in news once again for winning a $5,000 reward from Uber after he pointed out a bug in their software that could have allowed users to take unlimited free rides.
This is not the first time that Prakash has won a reward for pointing out a security flaw in a website. Over the years, he has alerted big corporations such as Facebook, Twitter and Google about potentially expensive and risky software loopholes on their websites. HuffPost India caught up with India's top bug bounty hunter for a chat. Here are edited excerpts from the conversation —
How did you get interested in hacking?
In 2010, I was in Kota, taking an entrance course there. Back then [the social networking site] Orkut was very popular and a friend of mine asked me to hack his account. After a few Google searches, I stumbled upon a guide to hacking a Google account. It was very well written and simple to follow. My confidence grew after that minor victory.
When did you begin to look at bigger security exploits?
After doing 'script kiddie' hacks, I became interested in actual website security when I was studying at the Vellore Institute of Tech. I began exploring tools such as Kali Linus for WiFi hacking. I found a bug in my college WiFi network and informed the authorities.
Which was your first big bounty?
In 2013, I found a bug in Facebook and informed them. I got to know much later that I had won a reward of $500.
In which other websites you have found security flaws?
There are many many websites. Facebook is the first and foremost. I found a lot of bugs there. In fact, I am now among the top three security researchers for the social network. I am featured in their annual white hat list as well.
Among the other companies whose secure walls I have found holes in, are Twitter and Google. I have also participated in the bug bounty program for Uber, GitHub, Nokia, Soundcloud, Dropbox, PayPal and others.
You have won many bug bounties. What does the reward stash look like?
Yeah, it's quite sizable. I have won almost ₹2.2 crore for finding anomalies in systems. One of the biggest catches was for Facebook last year, when they rewarded me $15,000 for finding a bug in their password system.
What do you make of security practices in the Indian startup space?
There is a lot to be done. Although the situation has improved over the past couple of years, a lot of startups ignore this aspect. There needs to be more budget for the security space rather than just spending on marketing and product. More bug bounty programs are needed in this country.
Many systems are being introduced in the payment space, including the Aadhar stack. How good is their data safety?
For Aadhar, I'd just say that the government should be more open to feedback. For payment systems, the companies should have multiple security audits and checks at regular intervals. They should keep 2-3 security vendors as well.
What are your future plans?
Right now I am working on a security startup to provide solutions to others. I will reveal more details on my blog soon.