It felt like winning the lottery, says web developer and ethical hacker Sameer Rao, of the first bug bounty he ever collected. Internet bug bounty hunters scan through a website or applications program to find a bug (or inconsistency in the code), point it out to the owners of the app, and get paid.
Rao's first win was in 2016. He'd been invited to join a WhatsApp group through a web link, and noticed a vulnerability. "I saw that the bug could be exploited to inject a harmful code into the web application, allowing the attacker to steal sensitive and private data."
Rao alerted Facebook, which owns WhatsApp; the problem was fixed. And, just like that, Rao found himself $3,000 richer.
Tech giants such as Google, Microsoft, Apple, Twitter, Yahoo, as well as Ola, PayTM, Mobikwik and Yatra, all run public bounty hunting programmes. Essentially, they invite coders, techies, ethical hackers—and anyone with the ability to spot a flaw — to test their various online software for bugs and report any that they find. The focus tends to be on security and privacy vulnerabilities.
Facebook runs one of the biggest such operations, with its Bug Bounty Program (BBP) handing out up to $30,000 per bug reported, since 2011.
Smaller companies that can't afford to run their own programs use mediator platforms such as HackerOne, to connect with external contributors.
How it works
Most of the ethical hackers helping companies identify vulnerabilities for a fee use and sometimes modify open-source tools available on the internet. There are different tools that help track different types of bugs.
One they've identified a vulnerability, they send the company a sort of map of what they found, and how they found it. The company typically patches the bug and asks the hacker to try and bypass it again. Once the issue is resolved, the company decides on the bounty to be paid, depending on the potential impact the bug might have had on users.
In 2018, Facebook announced that it resolved over 700 issues (out of 17,800 submitted reports) through its BBP, and paid out a total of $1.1million.
Every year, Facebook compiles a list of hall-of-famers — hackers who have identified the highest number of valid, high-impact bugs.
"It is very prestigious to be on that list," says Shubham Bhamare, a 21-year-old who runs his own IT company in Nashik. He has been paid about $13,500 by Facebook since he started last year, and is No 25 on the list for 2019.
Hall of fame
Most bug bounty hunters have day jobs in web development. After hours, they do their back-end trawling for vulnerabilities. "I hunt only on Facebook, and spend about three hours a day combing through its various applications," says Rao. "If I find something interesting, I spend the rest of the night chasing the bug to its root."
Among the few full-time bug hunters is Bhavuk Jain, 27, a former mobile app developer from Delhi who earned his first bug bounty in 2017, when he found a private data disclosure vulnerability on Yahoo. "About a year ago, I quit my job and started doing this full time," he says. "I've been making significantly more from bug bounties than I was making as a mobile app developer."
You might think that the more bugs identified, the fewer there would be left to find. But every update means a possibility of new bugs, and so the work is never-ending.
Tech companies have found the bounty-hunters so useful that they have now begun to pre-release new products for the hacking community to test, before releasing them to the public. For instance, Facebook is currently running a bug bounty program to test its new cryptocurrency program, Libra.
New rollouts and regular updates mean the companies will never be able to track all their coding issues themselves, says Rao. "There will always be bugs to find. And so the hunt never stops."