Bug Bounty: How a 22-year-old was paid $15,000 by Facebook

Last week we woke up to the news of a 22-year old Security Engineer at Flipkart discovering a bug in Facebook that could grant access to messages, credit/debit cards tied to the account and personal photos and other personal information. All without the user’s knowledge. Anand Prakash, who discovered the bug and informed Facebook about it, was rewarded $15,000 (approx Rs 10 lakh) for discovering the vulnerability which could be disastrous for the Menlo Park-based company. [caption id=“attachment_2670534” align=“alignleft” width=“380”]  Anand Prakash. Image courtesy Lemon Studio[/caption] Head over to Prakash’s Twitter page and in addition to his work title, his bio says “bug bounty hunter”. On being asked to elaborate, he said, “A bug bounty program is a deal offered by many websites and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to exploits and vulnerabilities. These programs allow the developers to discover and resolve bugs before the general public is aware of them, preventing incidents of widespread abuse.” A lot of international websites have bug bounty programmes in place. Some of them reward people discovering the bugs whereas others don’t. There are very few Indian players who openly advertise about it. Ola is one of the few companies which has a bug bounty programme that we have heard of. Prakash, who is almost a veteran now of bug bounty hunting, told tech2 that as far as most Indian companies are concerned, there was a heavy reliance on consultancy firms, for discovering bugs, and not core users. He says that most Indian companies are not really serious about security. “Most of the Indian companies don’t care about security. Flipkart has a dedicated security team to safeguard its customers/sellers. Companies like Jugnoo, Ola, Swiggy, Practo etc., have awesome security teams,” he says. The root cause of the issue is the somewhat lax attitude of the venture capitalists who fund new services and apps he feels. “VCs should force companies to have penetration testing scans from good US security firms, as India does not have good consultancy firms. Right now companies are just paying a fee on a per app or per year basis,” says Prakash. This, he feels, does not yield good results from a security perspective. Prakash spends around 2-4 hours in a week, mostly on weekends, discovering bugs. He discovered the Facebook bug, for which he won $15,000, in around 20 minutes. According to him, it was “easy to find”. Apart from Facebook, he has also identified bugs for Twitter, Google, RedHat, Adobe, and many other US based companies, for which he has won rewards at time as well. In India, he has helped Zomato plug a loophole as well, for which he got a ‘Thank You’ message in place of a monetary reward. But how easy is it really to independently go about ethically hacking into a system? Wouldn’t it be construed as hacking and involve legal proceedings against the hacker? He says that all companies have a responsible disclosure policy in place. “Think of a case where the company’s database includes credit/debit card information is sold on the black market. I am actually saving that company by doing responsible disclosure, thereby preventing it from a huge loss,” he added. Bug bounty hunting is a hobby for Prakash, which he pursues independently not just for the rewards but also to keep his knowledge of the field up to date. His employer Flipkart doesn’t mind his pet projects. “I am always appreciated by my peers when I find any bugs on any major website. You tend to learn a lot when you look for vulnerabilities on a major platform such as Facebook,” Prakash said while signing off.