No Bounty for Bug Hunters in IndiaExperts Discuss Challenges, Solutions for Bounty Hunters
While there is no dearth of talent among Indian bug bounty hunters, hurdles such as lack of trust, payment disputes, cost, unethical practices and lack of regulatory laws deter the growth of the bug bounty programs in the country, according to some experts.
In 2020, Indian hackers submitted 18% of the total reports on San Francisco-based bug bounty platform HackerOne, while their U.S. counterparts contributed 11%. At bug bounty platform Bugcrowd, Indians received 34% of the payouts in 2020, Casey Ellis, the founder, chairman and CTO of the Sydney-based company tells Information Security Media Group.
It is also a lucrative career. Top hackers earn 16 times the median salary of software engineers in India, according to HackerOne.
India, however, is home to only eight companies with an active bug bounty program, according to Bugcrowd. A manual search on HackerOne's list of affiliates also shows no more than 10 Indian companies running active bug bounty programs.
Some companies, such as Walmart-owned e-commerce platform Flipkart, run vulnerability disclosure programs but do not offer monetary benefits to researchers.
The only government entities that have an active bug bounty program are COVID-19 contact-tracing platform Aarogya Setu and the National Critical Information Infrastructure Protection Center.
Additionally, India failed to make it to the top 10 in the HackerOne 2020 list of countries where organizations paying bounties are located.
In conversation with Information Security Media Group, security researchers and IT leaders detail why bug bounty and vulnerability disclosure programs are needed, what the implementation hurdles are and how CISOs can overcome these challenges.
Need for Bug Bounty and Vulnerability Disclosures
Several financial technology and e-commerce companies in India, including BigBasket, MobiKwik, Paytm and JusPay have been recent victims of data breaches, and the two sectors are likely to be prime targets for hackers and ransomware operators in the future.
That's because monetizing the results of an attack on e-commerce and fintech companies is comparatively easy, according to Ellis of crowdsourced security platform Bugcrowd.
"They [fintech and e-commerce companies] attract greater attention from a more diverse range of threat actors. Therefore, ensuring that defenses are set appropriately to hold expected attackers off is important, and bug bounty programs and [vulnerability disclosure programs] can help achieve that," he says.
On the attackers' side, Ellis tells ISMG, there's a vast number of adversaries with many different skill sets and all sorts of motives to break in and cause havoc.
"If you're competing against an army of adversaries, having an army of allies to level the playing field makes a lot of sense. This is what companies get access to when they tap into the creativity of the white hat community through platforms like ours," he says.
A VDP - or vulnerability disclosure program - he says, is the "neighborhood watch for the internet." Ellis advises CISOs to treat the need for a VDP as a question of "when" and not "if." In fact, there are many government regulations around the world that establish a VDP as a fundamental requirement of being on the internet, he says.
If companies run bug bounty programs and VDPs, it will further encourage people to report vulnerabilities, according to Koushik Sivaraman, vice president of cyber threat intelligence at Indian cybersecurity firm CloudSEK.
"It helps keep young, impressionable hackers on the good side, and that can make a significant difference," the former program manager for counter intelligence at the Indian Army tells ISMG.
A lot of Indian hunters show an incredible tenacity both in finding vulnerabilities and continually improving their skills, Ellis says. But, he adds, the adoption of well-structured and deliberate VDPs and bug bounty programs in the country is still fairly nascent.
Establishing a bug bounty program is challenging, Prakash Padariya, CISO of online payment solutions provider PayU, tells ISMG.
"There are numerous challenges in establishing bug bounty programs, all the way from setting up, integrating with internal bug tracking tools, validation and mitigation to, of course, payment," Padariya says.
Bug bounty programs can fail if security teams do not understand the complete infrastructure and set bounties without understanding overall risk appetite of the company, he adds.
Companies also fear that the hackers they collaborate with for bounty hunting may attack their systems, Akash Kundu, founder and CEO of Indian cybersecurity research firm Vulhunt, says.
But these fears are not well-founded, says Kundu, who is also a cybersecurity consultant with the Central Bureau of Investigation Academy and the Rajasthan Police Academy.
"Take for instance a web application firewall bypass. CISOs need to understand that they do not have to divulge the rules or security configurations, but only the architecture the organization's IT is built upon," he says.
In addition, India's regulators and data protection laws do not make it mandatory for organizations or government institutions - barring banking and financial firms - to have vulnerability disclosure policies or run bug bounty programs.
Kundu says that organizations in India view security testing from a compliance standpoint. They run Vulnerability Assessment and Penetration Testing, or VAPT, just to meet a checklist, he adds.
Indian multinational technology company Zoho Corp has been running a bug bounty program since 2015 and has seen participation from 400 hackers to date. Praval Singh, vice president of customer experience at Zoho, acknowledges that it was initially challenging to deal with the incoming volume of reports and a low signal-to-noise ratio.
Cost, according to Kundu, is another factor that deters CISOs from adopting bug bounty programs. "Many CISOs in India consider bug bounty programs to be expensive. For instance, the cost of a P1 test in India varies from 25,000 rupees ($340) to 30,000 rupees ($407), and CISOs are not willing to shell out that much," he says.
Payment Disputes and Timelines
In Kundu's experience, the most common reason for payment-related disputes between companies and bug bounty hunters is the timeline. Bounty, in most cases, is paid only after the company verifies the vulnerability and patches it - a process that can take time.
"The challenge is that a lot of Indian companies running bug bounty programs do not specify the timeline within which testing and patching will be completed in the contract, and that leads to payment disputes," he says.
Take PayPal’s bug bounty guidelines for instance. The company specifies 14 hours as the average time for reporters to receive a first response and 15 days to receive bounty. In comparison, Paytm has no specific timeline for first response or average time to bounty. Its website simply states: “It is Paytm’s decision to determine when and how bugs should be addressed and fixed."
PayU CISO Padariya advises that one must ensure bug bounty programs are legally covered in the jurisdiction in which the company operates. "It is extremely important to understand and ensure companies meet the finer points of a country’s law before starting bug bounty programs. It may take a serious turn if fake bugs are submitted while a researcher demands money for invalid or low-category bugs," he says.
Singh says that Zoho also dealt with contentious cases regarding the applicability, severity and impact of the issue, and the reward amount.
"Under such situations, we sit through multiple iterations, discussions and even debates to enable the hackers to understand our risk posture analysis. Polite and firm communication, along with relevant technical details and mapping with standards such as CVSS score does help to an extent while addressing such challenges," he says.
Backlash From Companies
In February 2021, MobiKwik suffered a data breach that compromised 7TB of its customers' personal data. The incident was first discovered by independent security researcher Rajshekhar Rajaharia, who first contacted MobiKwik, but got no response. He then tweeted his findings.
MobiKwik then labeled him "a media-crazed so-called security researcher who repeatedly presented concocted files."
In response, MobiKwik users posted screenshots confirming that their data had indeed been leaked.
To avoid similar occurrences, communication between the company running the bug bounty program and the bounty hunter is key.
"When companies do not respond, some pentesters feel that the company will patch the vulnerability and not pay them. That is when bounty hunters post the company's vulnerabilities publicly," Kundu says.
What Must CISOs Do?
Ellis of Bugcrowd recommends that organizations start with a VDP as well as a private crowdsourced testing program, and then ramp up efforts in a crawl-walk-run approach.
Zoho's Singh adds: "Start with VDP. Then proceed to have a limited bug bounty program covering critical assets, and then slowly expand."
A bug bounty program, however, does not eliminate the need for secure software development, thorough software testing, pen tests, and periodic web application and system scans, he says.
“Bug bounty programs are incremental to those efforts and are designed to find flaws that slip through such checks. This is sometimes misunderstood by organizations," Singh adds.
PayU CISO Padariya advises companies to define a well-articulated and legally protected bug bounty program. Kundu of Vulhunt suggests that CISOs with newly deployed bug bounty program enlist the help of crowdsourced security partners to understand the process.
Sivaraman of CloudSEK says that companies can start the process by setting up an internal VDP. The move, he says, worked well for CloudSEK and eased fears of being hacked by bounty hunters.