So far, being a techie in India has been synonymous with being a coder or a developer. But not anymore.
Ethical hacking has now become a lucrative career path for engineers in the country.
Laxman Muthiyah, a 26-year-old Chennai based independent security researcher, has won $62,000 (Rs44 lakh) over the last five years by finding security flaws in Facebook and its photo-sharing app Instagram. In March this year, Rohit Kumar, a second-year student at Lovely Professional University (LPU), was inducted into the Facebook Hall of Fame for being among the top 20 bug bounty hunters in 2018.
In 2018, hackers from India claimed the second-highest share of bounties in the world, after the US, according to cybersecurity firm HackerOne.
Quartz spoke with three ethical hackers—Sandeep Singh, a 25-year-old security analyst at HackerOne; 23-year-old Shivam Vashisht, who dropped out of mining engineering at National Institute of Technology (NIT), Raipur, in the second year; and 21-year-old Harsh Jaiswal, who works as a security engineer at food-tech firm Zomato by day and hacks by night.
How did you get into hacking and when did it become a profession?
Singh: It all started when I followed a friend’s suggestion to attend an ethical hacking training course. I’d been practicing hacking for three years when I came to know about bug bounties.
Jaiswal: I have a love for computer games. So I used to search for hacks for games, which led me to a lot of websites that were trying to trick me into filling my Facebook/Google passwords. That was when I learned about phishing attacks. The moment I got my first reward from Medium, it made me realise this is cool. If it allows you to learn and earn together, why not make it a profession?
Why do you prefer hacking over a traditional developer job?
Vashisht: In a traditional, low-paid developer job, I would just be scratching the surface with some technology and work to develop things without having the bigger picture in mind. With hacking, I can explore a lot more and it has a powerful result.
Which platforms have you been hacking?
Singh: I used to hack on Airbnb, Facebook and most of the others are private companies so I cannot reveal their names.
Vashisht: A few of my favourites are Yahoo!, MasterCard, Netflix, and Okta. They have very welcoming security teams. I also work privately with some well-know billion dollar companies which I am not allowed to name publicly.
Jaiswal: If I have to pick a few, it would be Vimeo, PayPal, and Linode. They have a great response time, they appreciate my efforts, and of course, they reward well. It’s always motivating when all these checkboxes are ticked.
Can you give some specific examples of the biggest threats you’ve helped diagnose/solve?
Vashisht: One was in a US-based online job recruiting company. I found a flaw disclosing every user’s private information, which, if used maliciously, could have been used to lockdown or encrypt all the data. For a US-based music company’s fully locked-down administrative panel, I was able to inject sql queries which could have been used to download all their user’s data, log into the admin panel and get full file system access of their servers.
Jaiswal: I’ve helped uncover tonnes of security loopholes which include, but are not limited to, data leaks where one could have leaked the private information of all the users of that product, and authentication bypasses, where one could have gained access to users’ accounts.
How do you make money—bounties or salaries?
Vashisht: My only source of income is bounties. This has been increasing for me every year. In 2018, I made around $125,000 (Rs90 lakh).
Jaiswal: That’s very subjective, but if I have to give an average earning from bug bounties, it should be around $40,000-$60,000 per year. It can be way more depending on how many hours and how much effort you’re dedicating and the kind of bugs and programmes you’re focusing on.
Previously (my income) was all bounties but now salary also plays a role in it. Salaries are constant. When it comes to bounties, there’s a burnout. There will be a period where you start feeling exhausted and you need a good rest to come back stronger.
What’s the most you’ve been paid for a hack? Please describe what it was.
Singh: $6,000 from a private company for accessing the internal panel of the company, which was not supposed to be accessible to anyone outside.
Vashisht: I have been paid $11,500 for a bug in Yahoo!. I was able to steal cookies of a user account by using one of their servers to inject malicious code, that resulted in a full account takeover i.e. allowing the attacker to read all Yahoo! Mail content, and could be used to further compromise associated accounts such as Facebook. The server was taken down within a few hours after the flaw was patched.
Jaiswal: I was paid $30,000 from PayPal for executing arbitrary operating system commands on PayPal’s server. I had collaborated with a friend for this hack. My individual highest-paid bug was $20,000, again from PayPal, for finding a way to steal access tokens of other users which could have allowed me to gain access to their accounts.
What is the hacker community like in India?
Vashisht: India’s hacker community is the largest in the world. (The country is home to 27% of all white-hat hackers in the world.) You can see hackers from almost all regions of India. In terms of gender, men have been dominating for now, but this community is quite open and I see a lot of women joining. In the coming years, this is definitely going to change as information security-related career awareness increases.
Jaiswal: I have friends in information security from all over India. There are people who are not financially strong and there are people who are. I have seen people supporting their families financially with the bug bounties, which is really cool.
Where do you see yourself in 10 years? What is the future of this job?
Singh: Personally, I hope I will be chilling and living a peaceful life in some corner of India near the mountains and nature. Bug bounty has a really great future, and is one of the best career paths for skilled guys who want to live an independent life, on their own terms.
Vashisht: I would probably like to invest time doing some research. This is a lesser-known profession and has tonnes of potential, most such jobs at companies around the world are vacant.
Jaiswal: I believe in taking it step by step. I’m inspired by Orange Tsai, Filedescriptor, Frans‘ research and aim to do some good research work like them in the future, and contribute to the community. When it comes to the future, remember, “Data is the new oil.” Everything is going online, so the cybersecurity industry is only going to boom. Moreover, with new security laws like GDPR coming into play, the future is only looking brighter.