NEW DELHI— Two Indian “bug hunters” have discovered bugs in Apple’s programs this month, earning big payouts from the tech giant.
Narendra Bhati, an assistant manager in a technology firm in the western city of Pune, received $16,000 on Aug. 6, and Armaan Pathan, an aviation industry executive, netted $6,000 on Aug. 16.
Multinational tech giants such as Apple are rewarding ethical hackers to find flaws that make their programs misbehave. Bug hunting has become a buzzword in cybersecurity, and various bug bounty platforms such as HackerOne and Bugcrowd work as links between businesses and cybersecurity researchers.
The Apple Security Bounty program launched last year pays up to $1.5 million — the highest in the world. Bhati is the second Indian to receive payment from that program.
“It’s like playing a game for me,” he told Zenger News. “It lets me contribute to cybersecurity.”
He said that he has submitted several other bugs to Apple which are being examined.
Bhati said that he has also discovered bugs for Facebook, Microsoft and Amazon. He has been hunting bugs since 2013 after completing an ethical hacking course from a private institute.
A native of the western state of Gujarat, Pathan has been a part-time bug hunter since 2015. He said he has earned $350,000 by discovering bugs for Facebook, Amazon and Google. Pathan was, in fact, trained by Bhati. A winner in the Singapore government’s bug bounty competition, Pathan was also invited to Facebook Hacker Cup competitions in Miami and Singapore.
Bhati and Pathan represent the growing trend of bug hunting for tech giants among youth in India. It is a booming business globally. HackerOne helped remove 123,000 security vulnerabilities in more than 1,400 customer programs in 2019, earning $62 million for hackers from 150 countries, according to a HackerOne report.
So far this year, HackerOne reports that 170,000 vulnerabilities have been uncovered, earning hackers a record-breaking (for HackerOne) $100 million.
Indian hackers earned $4.9 million through HackerOne in 2019, coming in second only to their U.S. peers. In the past four years, India has emerged as a major player in the segment.
“As a result of their creativity and tenacity, we predict that hackers will have earned $1 billion in bug bounties within five years, protecting companies and governments alike from persistent and ephemeral threats,” CEO Marten Mickos wrote on HackerOne’s website.
HackerOne allows participants to make submissions in Hindi, Telugu, Marathi and Tamil.
The number of ethical hackers from India has increased 83 percent since last year, according to a recent Bugcrowd report. The country is also among the top locales for “cash from hacking,” earning 34 percent of bounty payments around the world.
“This has also helped India anchor its position in the field of cybercrime security research,” the report states.
The report also states that about 54 percent of all hackers surveyed were 24 years old or younger, and 41 percent had entered the bug hunting arena in the past 12 months. Thirteen percent were described as having attention-deficit hyperactive disorder or autism.
One of the first Indians to earn big money from the bug bounty was security researcher Bhavuk Jain. An independent bounty hunter, Jain cracked a bug in Apple last May and took home $100,000.
“A lot of websites and mobiles have a sign-in feature with Google or Facebook,” he said. “Apple had also launched a ‘Sign up for Apple’ feature. I found an issue with the API (application programming interface). Within four hours I knew I could hack into a person’s account on any website or mobile app simply through his e-mail ID.
“I have earned about $120,000 during the pandemic,” said Jain. “I am not looking for a job.”
Bug bounty hunters prevented losses to the tune of $8.9 billion last year, according to the Bugcrowd report. Ethical hackers are forecast to prevent cybercrime of more than $55 billion by 2025, the report states.
Multinational companies are investing more and more into this as dependence on digital operations grows.
The work for bug hunters, however, is difficult and time-consuming, and training is still not well organized. It took Pathan two years to crack the Apple bug.
“Apple is the most difficult security to crack,” said Bhati.
Vishal Panchani, 25, a hacker from Surat, Gujarat, who was ranked No. 9 on the all-time leader board of HackerOne, has already earned $400,000 from bug bounty.
While noting that many young people are lured by the big money opportunities, Panchani said, “they should understand bug bounty hunting is all about passion and dedication.”
(Edited by Siddharthya Roy and Judy Isacoff.)