Hackers for good: A bug bounty hunter's path to America
So-called 'bug bounty' programs, which pay ethical hackers anywhere in the world for reporting security flaws, are the ticket for one Indian security researcher to study in the US.
—Deepanker Chawla led a double life.
As a security engineer at Delhi-based Hike Messenger, an instant messaging service, he spent weekdays protecting the firm from malicious hackers. On his off hours, however, he broke into the world's biggest tech companies.
Using a formidable array of self-taught skills, Mr. Chawla found troubling software flaws in the apps or services from Yahoo, Uber, Facebook, Google, Shopify, Snapchat, Yelp, and many others.
But instead of exploiting those vulnerabilities for criminal purposes, he revealed them to companies for cash and made more than $130,000 in two years by participating in so-called “bug bounties” for his discoveries. That's more than many Indian software engineers will earn in 10 years.
Today, Chawla is known as one of the best bug bounty hunters in India and ranks among the best the world. And with those credentials, and his earnings, he's planning his next move.
In December, he left Hike to spend more time searching for software flaws and to prepare to move to the US for graduate studies in cybersecurity. He's considering programs at multiple universities on both coasts and in the midwest. His immediate goal is to work full-time for a US company at least for a few years while pursuing his bug hunting activities on a freelance basis. He's less sure about his long-term plans but doesn't rule out the possibility of one day launching his own cybersecurity business.
His parents were reluctant about his decision to quit his day job in pursuit of becoming a professional hacker in the US, but have been supportive. “Indian parents want their kids in a 9-to-5 job,” he says.
While India has a booming tech sector, its engineers are still relatively low paid compared with their US or European counterparts. A typical software engineer will earn anywhere from around 375,000 to 700,000 Indian Rupees, or $5,500 and $10,000, a year. In 2015, the US Labor Department reported software developers made an average $98,260 annually.
But the global reach of the internet is allowing talented security researchers anywhere to profit from their talents via the hundreds of bug bounty programs that have proliferated on the internet in recent years. These are programs where organizations invite freelance security researchers to take a crack at their networks and services and offer cash rewards, merchandise, and recognition to those who succeed in finding security bugs in them.
Since 2011, Facebook has paid more than $5 million to some 900 researchers that have found various flaws in its products. Yahoo has handed out $1.3 million for the more than 2,000 security bugs that researchers have reported to it after the company launched its bounty program in 2013. Google has paid $6 million since 2010.
The effectiveness and lower costs associated with crowdsourced bug hunting has prompted hundreds of companies to launch similar programs in recent years, either on their own or through bounty program coordination firms like HackerOne and BugCrowd. Even the US government has joined the act.
Last year, the Department of Defense paid $150,000 to bug hunters that discovered 138 vulnerabilities in its public facing websites during a month-long "Hack The Pentagon" program. Defense Secretary Ash Carter later described the outcome as considerably less expensive than the $1 million the government would have paid to hire an external firm to do the same vulnerability discovery.
Many of the bug hunters participating in these programs are showing up in places like India and Pakistan, where universities are turning out a growing number of sharp engineering students.
Facebook for instance has paid more bug bounties to researchers in India than any place else, including the US. About 21 percent, or more than 9,000 of the 45,000 security researchers in BugCrowd’s roster are from India, putting them second only behind researchers from the US in numbers. And even that is a drop for the 40 percent just a year ago.
“We see a huge community of incredibly talented people coming out of India, Pakistan and the Philippines who are making a real difference to organizations,” says Paul Ross, senior vice president of BugCrowd. “Every time they find a vulnerability they are making an organization more secure.”
But unlike researchers in the US and UK who spend time chasing down rare, high-value bugs, a majority of bug hunters in countries like India and Pakistan are in the volume game, Mr. Ross says. “There’s a different economic model at play. People tend to go after a larger volume of low value vulnerabilities and do the same thing over and over again,” because it’s quicker and easier to make money that way.
Chawla, 22, earned an engineering degree in computer science from Shaheed Bhagat Singh State Technical Campus in Punjab. While he was in college, he was more interested in learning software development skills than in hunting for internet security flaws.
His interest in hacking was sparked when he figured out a way to take over a friend’s Facebook account via a common email scam. Buoyed by his success, Chawla began teaching himself how to break into other applications and platforms. Almost all of his hacking skills have come from searching for things on Google, on online forums, developer communities, and by following the blogs of people he considers the best in this business.
The real turning point came when he received $725 for reporting a bug to Yahoo in Nov. 2013. It was his first bug disclosure. “I was shocked in a good way because I was not expecting anything from Yahoo,” Chawla says. “That was the changing phase of my bug bounty career.”
Once he discovered bounty programs, Chawla would spend between six and eight hours daily chasing down security vulnerabilities in software. The process isn't simple.
When inspecting a website for the first time, for instance, Chawla looks for the low-hanging fruit first: Vulnerabilities from common, and well-understood mistakes that developers make when writing software, like allowing someone to inject malicious code into a site.
Even the biggest companies have a surprisingly large number of easy to find bugs on their platforms, he says. “When I hear a new bug bounty program is launched, I have a list of bugs I look for first,” he says. “Sometimes it takes me just five minutes to find a bug."
Chawla says that once he has exhausted all possible avenues for finding the obvious bugs, he starts hunting for the more elusive ones that take more digging to uncover and typically result in higher rewards.
Since his first Yahoo bug, Chawla has discovered more than 300 security flaws in a wide gamut of technologies. His spoils have ranged from $100 payments to bounties well over $1,000. His latest was a $10,000 bounty this January for discovering a security vulnerability in of all places HackerOne’s own platform for coordinating bug bounty programs.
Recently, over a cup of coffee in the restaurant of a five-star hotel in Delhi, the wispy, soft-spoken Chawla struggles to articulate all the reasons for his interest in bug hunting. Money is the big one of course, he concedes. His earnings have allowed him the ability to live in Vasant Kunj, one of Delhi’s most upscale neighborhoods.
But, Chawla says, cash isn't the only motivator. “In fact, initially I wasn’t even aware people paid for this,” he says.
There’s a certain exhilaration that comes from challenging yourself to find vulnerabilities and bypass security control in technology products from multi-billion dollar companies. And there’s always the satisfaction of learning something new every day, he says.
“I love bug hunting,” Chawla says earnestly. “I think there is a great future in it.”