Anand Murali

It is the end of Vishal Panchani’s workday as a product security engineer and time for him to boot his computer, gather his tools and go hunting—for software bugs. As has been his routine since 2016, Panchani, 24, has been leading an alternate life—working for a software company by day and going after creepy-crawlies in code by night.

This bug-hunting is a lucrative calling, too. Panchani, who works at an IT services company in Bengaluru, says he has made more than $400,000 (Rs 2.8 crore) so far. And he’s one of the best in the game, ranked 9th on the all-time leaderboard of Hackerone, a platform for bug bounty programmes.

“I hunt bugs for four to five hours every night after work,” says Panchani, who goes by the name ‘gujjuboy0x00’ when he’s out hunting bugs.

Cybersecurity specialists like Panchani are sought after by companies which use their expertise to expose vulnerabilities that may be lurking in their software code. They do this through bug-bounty programmes which pay the bounty hunters money for finding and reporting errors in the software code. The bounty depends upon the threat level or the severity of the error in the software code. The payouts could range from a few hundred dollars to thousands of dollars and these bug bounty programs can be found on platforms like Hackerone, Bugcrowd and Synack.

Over the past year, bug bounty programmes have been gaining in importance. Companies including Apple, Google, Tesla, Github and Netflix have been expanding the scope of their programmes and increasing payouts, a reason for bug bounty hunting becoming a career choice for many with a knack for it.

Among them is 27-year-old Vijay Kumar, a former data engineer with e-commerce platform Flipkart who has now taken up bug bounty hunting as a fulltime career.

"I started earning a lot more than I earned at Flipkart," says Kumar who found the new career more exciting than his previous job. "It's a huge universe of new things happening every day in the cybersecurity space.”

Kumar started off pursuing cybersecurity research as a hobby but realised that it was lucrative. One particularly happy payday was with Uber when he earned $6,000 for finding and reporting a bug on the ride-hailing app.

With access to tech tutorials online, many have taken to making a career in bug hunting even while studying in college.

Twenty-year-old Jenish Sojitra is pursuing a degree in computer science in Ahmedabad and will be graduating next summer. But Sojitra has already made a career in bug bounty hunting. His biggest bounties are from programmes run by the payment provider Paypal—a cool $30,000.

"After college, I'm planning to pursue a career in bug hunting," says Sojitra, who is ranked 17th in this quarter's Hackerone leaderboard.

While that’s the good news, the bad news is that Indian corporates and home-grown startups are either miserly, adversarial or ignorant when it comes to bug bounty hunting. The biggest paymasters are multinational corporations.

Only a few Indian startups support and advocate bug bounty programmes. Most large companies ignore data security and leaks, and in some cases even threaten bug hunters with lawsuits for finding bugs.

Anand Prakash, a veteran bug hunter, who has been active in the scene since 2013 and earned over Rs 3 crore via bug disclosures and bounty programmes, has been on the receiving end many times. “There have been around three instances where I have tried reporting bugs and in return been threatened with lawsuits,” he says.

Bugs, if undiscovered, have the potential to cause catastrophic financial loss and result in serious reputational damage. Which is why companies which take their security seriously can pamper bug hunters.

In 2017, Prakash discovered a vulnerability which allowed him to take over the Uber app and book free rides in India and the United States. The San Francisco company then asked him to test the loophole by booking free rides, which he did. Convinced, Uber plugged the bug and rewarded Prakash.

On another occasion, Prakash demonstrated that he was able to take over Facebook accounts and post videos on others’ behalf. He was paid $12,500 for his troubles.

Not all bug bounty hunting happens in the public domain, with platforms acting as facilitators. Sometimes companies contact the top hunters directly or hold invite-only programmes on these platforms where they challenge hunters to find bugs.

In India, bug bounty programmes are limited in number and often do not have any payouts. Zomato is one of the few Indian companies that has a bug bounty programme and according to its Hackerone profile, the company has paid around $100,000 since its programme began. Flipkart, which was once India’s most valuable startup but is now owned by US-based Walmart, has what is known as a ‘responsible disclosure’ programme. Translated, it means those who report bugs will receive a thank you note but no money.

When Prakash, 26, started his career he recalls only a handful of others like him. But today his tribe has thousands of members. In 2018, Facebook paid security researchers over $1.1 million through its bug bounty programme and India led the list of countries to which the company made the highest payouts.

According to Hackerone's report, Indian hackers accounted for 27 percent of security researchers on its platform, the highest from a single geography, and received around $4,982,260 in bug bounty payouts on its platform.

But in India, if bug bounty programmes have to take shape, then laws pertaining to data breaches, data privacy and data protection have to come into place and should be strongly enforced. Only then will companies realise the importance of securing data.

“Until enterprises change their attitude towards cybersecurity and data security, in particular, Indian platforms and bug bounty programmes will not take off and Indian bug hunters will have to resort to international programmes,” says Prakash, who is also the CEO and founder of cybersecurity firm Appsecure.