‘I Won $100K From Apple’: How Indian Bug Hunters Chase Bounties

Indian bug bounty hunters have been picking up rewards from Apple and Google.

Cyrus John
Tech News
Updated:
Apple and Google have their own bug bounty programs.
i
Apple and Google have their own bug bounty programs.
(Photo: The Quint/Aroop Mishra)

advertisement

Video Editor: Rahul Sanpui

The Indian bug bounty hunters are on a roll these days. So much so that Bhavuk Jain, a bug bounty hunter from Delhi managed to bag a $100,000 dollar bounty from Apple for finding a critical bug in their system.

A few days after that, an Ahmedabad-based security researcher Bipin Jitiya won Rs 23.8 lakh ($31,500) from Facebook for identifying a bug in its social networking platform and a third-party business intelligence portal.

ADVERTISEMENT
ADVERTISEMENT

What is a Bug Bounty?

A bug bounty is a monetary award given to a hacker who finds and reports a valid security weakness to an organisation so it can be safely resolved,” according to HackerOne, one of the largest bug bounty platforms for hackers and companies to interact.

The Quint spoke to some Indian bug bounty hunters on how they have been hunting bugs for major technology companies and how the process is undertaken.

We also spoke to Joby John, who is an amateur bug bounty hunter and has been hunting bugs for American companies like Verizon Media.

We also spoke to another bug bounty hunter Athul Jayaram, who found a critical bug in WhatsApp.

As per Jayaram, the bug allowed the phone numbers of users to be revealed as plain texts on Google search index. What’s worse is that you were not able to revoke it.

Jayaram said Facebook fixed the problem after he found the bug but he never got any credit for the find, adding that he felt cheated.

After the story had been published, WhatsApp reached out to The Quint to clarify that the indexing was no longer happening and the issue had been resolved.

WhatsApp also explained why Athul Jayaram did not qualify for the bounty.

“While we appreciate this researcher’s report and value the time that he took to share it with us, it did not qualify for a bounty since it merely contained a search engine index of URLs that WhatsApp users chose to make public. All WhatsApp users, including businesses, can block unwanted messages with the tap of a button.”
WhatsApp Spokesperson

We also talked to these bounty hunters on how they manage to hunt different kinds of bugs and what does it take for one to get into professional bug bounty hunting.

They also highlighted the need for ethics in the process of bounty hunting and how you are not supposed to use critical information against companies and inform them about vulnerabilities.

(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)

Published: 24 Jun 2020,10:04 AM IST

ADVERTISEMENT
SCROLL FOR NEXT