India's ethical hackers rewarded abroad, rebuffed at home

Mr Anand Prakash (right), who runs cyber security firm AppSecure India, meeting fellow ethical hackers at a public park in Bangalore recently. India's army of ethical hackers earn millions protecting foreign corporations and global tech giants from c
Mr Anand Prakash (right), who runs cyber security firm AppSecure India, meeting fellow ethical hackers at a public park in Bangalore recently. India's army of ethical hackers earn millions protecting foreign corporations and global tech giants from cyber attacks, but are largely ignored at home, their skills and altruism misunderstood or distrusted.PHOTO: AGENCE FRANCE-PRESSE

Long-overdue rethink of such hacking after major breaches for some Indian start-ups

NEW DELHI • Mr Kanishk Sajnani did not receive so much as a "thank you" from a major Indian airline when he contacted it with alarming news - he had hacked its website and could book flights anywhere in the world for free.

It is a familiar tale for India's army of "ethical hackers", who earn millions protecting foreign corporations and global tech giants from cyber attacks, but are largely ignored at home, their skills and altruism misunderstood or distrusted.

India produces more ethical hackers - those who break into computer networks to expose, rather than exploit, weaknesses - than anywhere else in the world.

Latest data from BugCrowd, a global hacking network, showed Indians won the most "bug bounties" - rewards for red-flagging security loopholes. Facebook, which has long tapped hacker talent, paid more to Indian researchers in the first half of 2016 than any other researchers. Indians outnumbered all other bug hunters on HackerOne, another registry of around 100,000 hackers. One anonymous Indian hacker - "Geekboy" - has found more than 700 vulnerabilities for companies like Yahoo, Uber and Rockstar Games.

Most are young "techies" - software engineers swelling the ranks of India's US$154 billion (S$213.2 billion) IT outsourcing sector.

"People who build software in many cases also understand how it can be broken," HackerOne co-founder Michiel Prins said.

LACK OF RECOGNITION

Not getting properly acknowledged, or companies not showing any gratitude after you tried to help them, that is very annoying.

MR KANISHK SAJNANI, 21, who hunts for software glitches in between his computer engineering studies.

But while technology behemoths and multinationals are increasingly reliant on such world-class hacking talent, only a handful of Indian firms run bug bounty programmes.

Mr Anand Prakash, a 23-year-old security engineer who has earned US$350,000 in bug bounties, said Facebook replied almost immediately when he notified it of a glitch allowing him to post from anyone's account.

"But here in India, the e-mail is ignored most of the time," said Mr Prakash, who runs cyber security firm AppSecure India.

"I have experienced situations many times where I have a threatening e-mail from a legal team saying 'What are you doing hacking into our site?'"

"Not getting properly acknowledged, or companies not showing any gratitude after you tried to help them, that is very annoying," said Mr Sajnani, 21, who hunts for software glitches in between his computer engineering studies.

However, India's unwillingness to engage its home-grown hackers has backfired spectacularly for a number of Indian start-ups, forcing a long-overdue rethink .

In 2015, Uber rival Ola launched what it called a "first of its kind" bounty programme in India after hackers repeatedly exposed vulnerabilities in the hugely popular app.

This month, Zomato, a food and restaurant guide operating in 23 countries, suffered an embarrassing breach when a hacker stole 17 million user records from its supposedly secure database.

The incident was especially galling for Mr Prakash. He had hacked Zomato's database just two years earlier, and said if it had listened to him then, "they would never have been breached in 2017".

In a mea culpa rare for an Indian tech company, Zomato agreed to launch a "healthy" bounty programme and encourage other firms to work with ethical hackers.

The government has staunchly defended its "Aadhaar" programme, which stores the fingerprints and iris scans of more than one billion Indians on a national database, and has accused those who have raised concerns of illegal hacking. But that's not good enough for Mr Prakash.

"The Indian government definitely needs a bounty programme to make their system more secure," he said.

AGENCE FRANCE-PRESSE

A version of this article appeared in the print edition of The Straits Times on May 30, 2017, with the headline 'India's ethical hackers rewarded abroad, rebuffed at home'. Print Edition | Subscribe