Firstpost
  • Home
  • Video Shows
    Vantage Firstpost America Firstpost Africa First Sports
  • World
    US News
  • Explainers
  • News
    India Opinion Cricket Tech Entertainment Sports Health Photostories
  • Asia Cup 2025
Apple Incorporated Modi ji Justin Trudeau Trending

Sections

  • Home
  • Live TV
  • Videos
  • Shows
  • World
  • India
  • Explainers
  • Opinion
  • Sports
  • Cricket
  • Health
  • Tech/Auto
  • Entertainment
  • Web Stories
  • Business
  • Impact Shorts

Shows

  • Vantage
  • Firstpost America
  • Firstpost Africa
  • First Sports
  • Fast and Factual
  • Between The Lines
  • Flashback
  • Live TV

Events

  • Raisina Dialogue
  • Independence Day
  • Champions Trophy
  • Delhi Elections 2025
  • Budget 2025
  • US Elections 2024
  • Firstpost Defence Summit
Trending:
  • Nepal protests
  • Nepal Protests Live
  • Vice-presidential elections
  • iPhone 17
  • IND vs PAK cricket
  • Israel-Hamas war
fp-logo
These modern day Indian bounty hunters are making a killing hunting (software) bugs
Whatsapp Facebook Twitter
Whatsapp Facebook Twitter
Apple Incorporated Modi ji Justin Trudeau Trending

Sections

  • Home
  • Live TV
  • Videos
  • Shows
  • World
  • India
  • Explainers
  • Opinion
  • Sports
  • Cricket
  • Health
  • Tech/Auto
  • Entertainment
  • Web Stories
  • Business
  • Impact Shorts

Shows

  • Vantage
  • Firstpost America
  • Firstpost Africa
  • First Sports
  • Fast and Factual
  • Between The Lines
  • Flashback
  • Live TV

Events

  • Raisina Dialogue
  • Independence Day
  • Champions Trophy
  • Delhi Elections 2025
  • Budget 2025
  • US Elections 2024
  • Firstpost Defence Summit
  • Home
  • Tech
  • News & Analysis
  • These modern day Indian bounty hunters are making a killing hunting (software) bugs

These modern day Indian bounty hunters are making a killing hunting (software) bugs

Anand Murali • November 14, 2019, 16:14:26 IST
Whatsapp Facebook Twitter

Most large companies ignore data security, and in some cases even threaten bug hunters with lawsuits.

Advertisement
Subscribe Join Us
Add as a preferred source on Google
Prefer
Firstpost
On
Google
These modern day Indian bounty hunters are making a killing hunting (software) bugs

It is the end of Vishal Panchani’s workday as a product security engineer and time for him to boot his computer, gather his tools and go hunting—for software bugs. As has been his routine since 2016, Panchani, 24, has been leading an alternate life—working for a software company by day and going after creepy-crawlies in code by night. This bug-hunting is a lucrative calling, too. Panchani, who works at an IT services company in Bengaluru, says he has made more than $400,000 (Rs 2.8 crore) so far. And he’s one of the best in the game, ranked 9th on the all-time leaderboard of Hackerone, a platform for bug bounty programmes. [caption id=“attachment_7651901” align=“alignnone” width=“1280”] ![Vishal Panchani, a top bug bounty hunter from India.](https://images.firstpost.com/wp-content/uploads/2019/11/Vishal-Panchani.jpg) Vishal Panchani, a top bug bounty hunter from India.[/caption] “I hunt bugs for four to five hours every night after work,” says Panchani, who goes by the name ‘gujjuboy0x00’ when he’s out hunting bugs. Cybersecurity specialists like Panchani are sought after by companies which use their expertise to expose vulnerabilities that may be lurking in their software code. They do this through bug-bounty programmes which pay the bounty hunters money for finding and reporting errors in the software code. The bounty depends upon the threat level or the severity of the error in the software code. The payouts could range from a few hundred dollars to thousands of dollars and these bug bounty programs can be found on platforms like Hackerone, Bugcrowd and Synack. Over the past year, bug bounty programmes have been gaining in importance. Companies including Apple, Google, Tesla, Github and Netflix have been expanding the scope of their programmes and increasing payouts, a reason for bug bounty hunting becoming a career choice for many with a knack for it. Among them is 27-year-old Vijay Kumar, a former data engineer with e-commerce platform Flipkart who has now taken up bug bounty hunting as a fulltime career. “I started earning a lot more than I earned at Flipkart,” says Kumar who found the new career more exciting than his previous job. “It’s a huge universe of new things happening every day in the cybersecurity space.” Kumar started off pursuing cybersecurity research as a hobby but realised that it was lucrative. One particularly happy payday was with Uber when he earned $6,000 for finding and reporting a bug on the ride-hailing app. With access to tech tutorials online, many have taken to making a career in bug hunting even while studying in college. Twenty-year-old Jenish Sojitra is pursuing a degree in computer science in Ahmedabad and will be graduating next summer. But Sojitra has already made a career in bug bounty hunting. His biggest bounties are from programmes run by the payment provider Paypal—a cool $30,000. “After college, I’m planning to pursue a career in bug hunting,” says Sojitra, who is ranked 17th in this quarter’s Hackerone leaderboard. [caption id=“attachment_7651881” align=“alignnone” width=“1280”] ![Image: Hackerone](https://images.firstpost.com/wp-content/uploads/2019/11/Source-Hackerone.jpg) Visualisation of bounties by geography. Image: Hackerone[/caption] While that’s the good news, the bad news is that Indian corporates and home-grown startups are either miserly, adversarial or ignorant when it comes to bug bounty hunting. The biggest paymasters are multinational corporations. Only a few Indian startups support and advocate bug bounty programmes. Most large companies ignore data security and leaks, and in some cases even threaten bug hunters with lawsuits for finding bugs. Anand Prakash, a veteran bug hunter, who has been active in the scene since 2013 and earned over Rs 3 crore via bug disclosures and bounty programmes, has been on the receiving end many times. “There have been around three instances where I have tried reporting bugs and in return been threatened with lawsuits,” he says. Bugs, if undiscovered, have the potential to cause catastrophic financial loss and result in serious reputational damage. Which is why companies which take their security seriously can pamper bug hunters. In 2017, Prakash discovered a vulnerability which allowed him to take over the Uber app and book free rides in India and the United States. The San Francisco company then asked him to test the loophole by booking free rides, which he did. Convinced, Uber plugged the bug and rewarded Prakash. On another occasion, Prakash demonstrated that he was able to take over Facebook accounts and post videos on others’ behalf. He was paid $12,500 for his troubles. [caption id=“attachment_7651921” align=“alignnone” width=“1280”] ![Anand Prakash, Bug Bounty Hunter and Founder of Appsecure.](https://images.firstpost.com/wp-content/uploads/2019/11/Anand-Prakash.jpg) Anand Prakash, Bug Bounty Hunter and Founder of Appsecure.[/caption] Not all bug bounty hunting happens in the public domain, with platforms acting as facilitators. Sometimes companies contact the top hunters directly or hold invite-only programmes on these platforms where they challenge hunters to find bugs. In India, bug bounty programmes are limited in number and often do not have any payouts. Zomato is one of the few Indian companies that has a bug bounty programme and according to its Hackerone profile, the company has paid around $100,000 since its programme began. Flipkart, which was once India’s most valuable startup but is now owned by US-based Walmart, has what is known as a ‘responsible disclosure’ programme. Translated, it means those who report bugs will receive a thank you note but no money. When Prakash, 26, started his career he recalls only a handful of others like him. But today his tribe has thousands of members. In 2018, Facebook paid security researchers over $1.1 million through its bug bounty programme and India led the list of countries to which the company made the highest payouts. According to Hackerone’s report, Indian hackers accounted for 27 percent of security researchers on its platform, the highest from a single geography, and received around $4,982,260 in bug bounty payouts on its platform. But in India, if bug bounty programmes have to take shape, then laws pertaining to data breaches, data privacy and data protection have to come into place and should be strongly enforced. Only then will companies realise the importance of securing data. “Until enterprises change their attitude towards cybersecurity and data security, in particular, Indian platforms and bug bounty programmes will not take off and Indian bug hunters will have to resort to international programmes,” says Prakash, who is also the CEO and founder of cybersecurity firm Appsecure.

Tags
facebook Flipkart R hackerone bug bounty Uber bounty program Uber bounty
End of Article
Latest News
Find us on YouTube
Subscribe
End of Article

Top Stories

Israel targets top Hamas leaders in Doha; Qatar, Iran condemn strike as violation of sovereignty

Israel targets top Hamas leaders in Doha; Qatar, Iran condemn strike as violation of sovereignty

Nepal: Oli to continue until new PM is sworn in, nation on edge as all branches of govt torched

Nepal: Oli to continue until new PM is sworn in, nation on edge as all branches of govt torched

Who is CP Radhakrishnan, India's next vice-president?

Who is CP Radhakrishnan, India's next vice-president?

Israel informed US ahead of strikes on Hamas leaders in Doha, says White House

Israel informed US ahead of strikes on Hamas leaders in Doha, says White House

Israel targets top Hamas leaders in Doha; Qatar, Iran condemn strike as violation of sovereignty

Israel targets top Hamas leaders in Doha; Qatar, Iran condemn strike as violation of sovereignty

Nepal: Oli to continue until new PM is sworn in, nation on edge as all branches of govt torched

Nepal: Oli to continue until new PM is sworn in, nation on edge as all branches of govt torched

Who is CP Radhakrishnan, India's next vice-president?

Who is CP Radhakrishnan, India's next vice-president?

Israel informed US ahead of strikes on Hamas leaders in Doha, says White House

Israel informed US ahead of strikes on Hamas leaders in Doha, says White House

Top Shows

Vantage Firstpost America Firstpost Africa First Sports
Latest News About Firstpost
Most Searched Categories
  • Web Stories
  • World
  • India
  • Explainers
  • Opinion
  • Sports
  • Cricket
  • Tech/Auto
  • Entertainment
  • IPL 2025
NETWORK18 SITES
  • News18
  • Money Control
  • CNBC TV18
  • Forbes India
  • Advertise with us
  • Sitemap
Firstpost Logo

is on YouTube

Subscribe Now

Copyright @ 2024. Firstpost - All Rights Reserved

About Us Contact Us Privacy Policy Cookie Policy Terms Of Use
Home Video Shorts Live TV