CHANDIGARH, Punjab—Karan Saini (20) from Delhi was a teenager when he started to work as a bug bounty hunter after the sudden death of his father four years ago, a property dealer in Delhi. With no income left for the family (consisting of his mother and elder brother) a bug bounty award of Rs 45,000 by Twitter in 2015 was a huge relief to his family and also gave him a new purpose in life.
In March last year, Saini exposed a data leak on a system run by a state-owned LPG utility company Indane, which allowed anyone to download private information such as names, Aadhaar numbers and bank details of its customers. After working as a policy officer for a cyber security programme with the Centre for Internet and Society, Saini is now working as a product Support Engineer with a Bengaluru based IT firm, HasGeek.
In East Delhi, every morning, Sayaan Alam (15), a student of class XI whose family is from Uttar Pradesh, goes to school. He’s studying computer science as an optional subject in a school, but in his spare time he’s been testing the security of e-commerce websites using a laptop he borrows from a cousin staying with him in the same hostel in Okhla.
Ahmedabad based Jenish Sojitra (who goes by Jensec online), an alumni of Nirma University Ahmedabad, told HuffPost India that he became a millionaire at the age of 20. Since 2017, he claimed to have earned around Rs 3.21 crores in bug bounty awards, and showed us screenshots acknowledging his reports.
Any technology you own is an avenue for attack
“Computers were my first love since childhood and grew more when my father brought one for my brother to play video games. I initially began working on the cheat code and modifications for video games to get advantages while playing. Following the death of my father in 2014, we were in the middle of financial crunch and a bug bounty award of Rs. 45,000 brought a huge relief for the family,” said Saini while speaking to HuffPost India.
Out of the prize money, he took Rs. 800 and bought a copy of The Web Application Hacker’s Handbook, and gave the rest of the money to his mother. Since then, Saini has been participating in numerous Hackathons, programming challenges, and coding competitions.
In 2017, Saini found a critical bug in the Uber API and was awarded Rs. 7,000 and Rs. 80,000 by exposing another potential bug in T-mobile. He was in the news again in 2018, after exposing a bug that revealed the Aadhaar numbers and bank details of LPG subscribers.
“In places like India, targeted attacks become very easy as a large majority of the populace have singular points of failure. This can be in a way of keeping a single phone number linked across multiple services and accounts. For certain people, this could present a potential opportunity for hackers and should be avoided,” said Saini.
No guidelines for ethical hackers
Alam, the son of an Uttar Pradesh based poultry farm owner is still waiting for his first laptop, and borrows a laptop every day. The 14 year old took to ethical hacking last year and bought Burp Suite, a graphical tool for testing Web application security. Since then, he has exposed some critical bugs in various e-commerce websites, including Tata Click and Spoyl.
“Laptop still remains a dream but I may buy it with some bug bounty award. Unfortunately, unlike multinational companies, very few Indian companies have secured APIs and bug bounty programmes,” said Alam, who recently won $500 (approximately Rs. 35,000) from Google and appears on its ‘Hall of Fame’ for finding a bug in its search panel meant for celebrities.
He believes the government websites holding the critical infrastructure of the country like Aadhaar database, the government should have a bug bounty programmes to secure it from any cyber attack, something a number of white hat hackers in India have been saying.
But in a country like India, there are no clear guidelines for ethical hackers. While some companies appreciate their work, others threatens them with a legal notice.
“In my case, my age often plays the spoilsport as majority do not take me seriously. They are not ready to believe that all their years of experience can be proved worthless with knowledge by budding security researchers. There are indeed many websites who despite alerted by me months before have kept the bugs alive in their APIs,” said Sayaan.
Chasing American bugs, earning American bounties
Unlike Alam, Jenish Sojitra, an Ahmedabad based youth has the latest state of the art gadgets and loves to ‘hack and secure’ everything for money and hobby. Going by the twitter handle @_jensec, Sojitra loves to buy the latest and the most sophisticated gadgets including smart watches, and holidaying with friends in India and abroad.
This is all possible because of earning Rs 3.21 crores in bug bounties. How did he manage to earn such a huge bounty?
“I have been winning bounties since 2015 but the biggest came last year when I reported four critical bugs in PayPal, an online payment system and was awarded Rs. 21 lakhs each (approximately $117434) by the company. Later, I highlighted some more crucial bugs on Paypal and also earned $500 (approximately Rs. 35,000) from Facebook,” said Sojitra.
This young tycoon’s income multiplied manifolds when he joined HackerOne and BugCrowd, the vulnerability coordination and bug bounty platforms that connects businesses with penetration testers and cybersecurity researchers.
Since 2017, Sojitra has won $450,000 (3.21 crores) through various bug bounty programmes. This also revealed a big problem with security systems in India, and explained why some of India’s brightest young minds are focused on finding bugs and improving systems for American companies instead — because in India, they’d be prosecuted.
“With no legal cover, budding security researchers in India face legal threats from companies whose APIs were found compromised by them. Ethical hacking with huge bug bounty rewards by multinational companies has attracted a lot of youths towards this sector recently but delay in finding some bug by few months also leads to tremendous stress amongst them,” said Sojitra.