Ola is finally willing to share its bounty with hackers

Image: Reuters/Shailesh Andrade
We may earn a commission from links on this page.

Indian technology startups have picked up another lesson from their Silicon Valley counterparts.

On Aug. 2, taxi aggregator Ola launched its bug bounty programme, under which the company will compensate or acknowledge those who report bugs in its software. The only other Indian startup that runs a well-known bug bounty programme is the digital payment and e-commerce company Paytm.

Bug bounty programmes, which are actively used by the likes of Google, Facebook and Twitter, help companies spot flaws in their software and fix them before they can be exploited.

“Globally, some of the most critical vulnerabilities online have been resolved thanks to efforts of researchers fuelled entirely by curiosity and altruism. We’d like to channel this curiosity to create a safer environment on the Ola platform too,” Ola said in a blog post.

Ola will offer a minimum reward of Rs1,000 for spotting a bug, but there will be no upper limit on the bounty.

The Bengaluru-based cab-hailing firm—which holds over 70% of the market share in India’s internet-based commuting solutions sector—facilitates bookings for taxis and auto rickshaws across 100 cities. According to the company, around 50% of its transactions are done through its digital wallet.

The move from Ola comes just a few months after several hackers claimed that the company’s mobile app was highly vulnerable to cyber threats.

In March, Bengaluru-based software developer Shubham Paramhans claimed that he had hacked into Ola’s wallet. Around the same time, the team of Appknox, a mobile app vulnerability detection startup, also claimed they had hacked Ola’s app. Founder Prateek Panda had said that his team found the app “so vulnerable that we don’t even want to call it a hack.”

However, Ola had brushed aside these claims, saying, “There is no threat to data and information security whatsoever to users. Like any technology company, we progressively issue updates, which include bug fixes from time to time. We urge users to update their apps to the latest version.”

In recent months, hackers have publicly pointed out security flaws in several other Indian startups including online restaurant search provider Zomato and music streaming app Gaana.

While companies like Ola and Paytm are finally realising the value of bug bounty programmes, most other Indian startups are still apprehensive of ethical hackers.

“Most Indian startups do not respect ethical hackers,” Panda of Appknox told Quartz. His team previously discovered vulnerabilities in Facebook, Google, Skype, Yahoo, and Paypal.

“It is sad that these startups are so heavily funded but they don’t want to reward hackers who could be of great help to them. It’s only now that social media has become so strong and companies run the risk of their name getting maligned on social networks that they are waking up to a programme like bug bounty,” Panda said.

And Indian techies seem really efficient at spotting cyber flaws. In 2013 and 2014, Indian users found more bugs on Facebook than users from any other country. In 2014, Indians reported 196 valid bugs to Facebook, which earned them an average reward of $1,343 per bug. Facebook’s minimum bug bounty reward is $500 (Rs32,000).