Bug Bounty Hunters Say They Aren’t Welcome in India

Bug Bounty Hunters Say They Aren't Welcome in India

HIGHLIGHTS

  • Bug bounty hunters are hackers who warn companies about security flaws
  • They do this for both rewards, and recognition
  • They say Indian firms pay less, and don’t like talking of vulnerabilities

The recent Wannacry global ransomware attack, and closer to home, the Zomato user data breach, where millions of user logins were compromised, have forced all of us to be much more conscious of digital security. A key part of this ecosystem is the community of ethical hackers, also called bug bounty hunters, these are people who work with companies to patch security flaws. While big bounty program have been standards worldwide for several years, Indian companies like Zomato are only now following suit.

A bug bounty program is a vulnerability reward program instituted by corporates for ethical hackers. Hackers report bugs and vulnerabilities of websites or apps from corporates, who, in turn, recognise and compensate these hackers. Gadgets 360 spoke to a couple of ethical hackers told us that that they normally try and work with foreign companies, who are more open to paying bounties, and offer richer rewards to boot, when compared to their Indian counterparts.

Manish Bhattacharya, an ethical hacker born and raised in Bihar, said he paid off his educational loan through bug bounty programs from Facebook, GitHub, Shopify, and others. Some years ago, he had reported two clickjacking issues for Facebook – where a real link gets replaced by a malicious one, which could serve ads, or even malware. For this, he was paid $5,000 (over Rs. 3.22 lakhs today) by Facebook.

Anand Prakash has his own cyber-security startup, called AppSecure India, based out of Bengaluru. He is on Facebook’s ‘White Hat Bug Bounty Program’, which recognises and rewards security researchers who report vulnerabilities in Facebook’s services. In 2016, he has also found a bug in Uber that could let any hacker take multiple rides without paying for them. Uber gave him $5,000 in return.

anand prakash hacker ethical hacker

Anand Prakash runs his own security firm, AppSecure India

For Bhattacharya, bug bounty hunting has been, well, bountiful. He now works for a security firm in the United States. Prakash is on the list of Forbes Asia’s 30 under 30 (2017) and runs his security audit firm.

The ethics of bug bounties
Many companies such as Microsoft, Facebook, and Google are openhanded to bug bounty hunters. Bugcrowd maintains a list of websites that have a rewards program. But it’s important to remember that there are a bunch of rules that define what is ethical hacking.

“The difference [between ethical hacking and unethical hacking] lies primarily in the intent. and access rights,” says Amit Sethi, Chief Information Officer, AXIS Bank. “One is authorised and the other is unauthorised. Technology-wise there’s no difference per se.”

Bhattacharya and Prakash also agree with the corporate ethical code.

“If I have permission from the company to test their website or they have a bug bounty program then only I’ll go for bug hunting,” says Bhattacharya. “I’ll never test any government/ bank website without their written permission.”

“Hackers exploiting bugs and leaking user data is unethical. Recent Zomato hack was a perfect example of an unethical hack,” adds Prakash. “The hacker should not have forced the company to run a bounty program by leaking their data.”

manish bhattacharya hacker ethical hacker

Manish Bhattacharya works for a security firm in the US

The argument could be made that the hacker pushed the company to improve its security and institute a program that will only help users – but in the process, the data of millions of users was up for sale, as Prakash points out.

Indian companies don’t like to talk about vulnerabilities
As the hackers we spoke to mentioned, Indian companies aren’t typically welcoming of their efforts. Uber told Gadgets 360 that it has paid more than $860,000 – approximately Rs. 5.5 crore – in the last year to security researchers around the world. Of this, there were six researchers from India in Uber’s top 50 list. India topped Facebook’s bug bounty list last year, but things are very different when you look at Indian companies.

Global players award Indian hackers consistently, says Sandeep Sharma, a research analyst for IDC. “But, when it comes to Indian corporates, the picture isn’t as rosy,” Sharma explains. “Indian enterprises still have a long way to go as far as proactive security implementations are concerned.”

Why haven’t Indian corporates been encouraging when it comes to bug bounty programs? Startups we approached refused to be a part of this story. According to reports, Snapdeal, Ola, and Swiggy all have private bug-bounty programs, but none of these companies wanted to talk about why bug bounty hunters don’t get due credit in India.

Swiggy CTO and co-founder Rahul Jaimani instead pointed out that the company encourages bug bounties, as long as it’s done in an ethical manner, and ties up with credible third-party bug bounty platforms on an invite only basis. He added that Swiggy supports ethical hacking, as long as the researchers comply with Swiggy’s ethical and responsible disclosure norms. He also added that the terms and conditions of the website and app mention that unethical techniques used against the system are liable under the cyber security law, as per the IPC and Information Technology Act.

We asked Zomato the same question too, but the company wasn’t available for comment. Zomato had a bug bounty program on HackerOne for a while and after the recent Zomato hack, its CEO Deepinder Goyal tweeted, “Had never offered money as part of the program. That’s what’s going to change now.”

zomto culture 1495085835107 zomato

After the company was hacked, Zomato now offers money as part of its bug bounty program

This attitude is a problem as far as most bug bounty hunters are concerned – apart from money, recognition is a big driver as it helps to build a career in ethical hacking, explains Bhattacharya.

“Right now, India is full of startups, most of them don’t have – or they don’t want to spend – extra budget to hire a full-time security guy,” he says. “Most companies don’t trust an independent individual with their security; they prefer a security firm instead. Few startups like Ola, Paytm have bug bounty. But, their rewards don’t match the international standards, so bug hunters don’t spend time with these programs.”

Change remains slow
Axis Bank has an Innovation Lab that experiments with bug bounty. “It would be an incremental step in our efforts towards robust and secure software development and testing,” says Axis’ Sethi. In India, banking and financial service firms have been proactive about security solutions, adds AppSecure’s Prakash, who also told us that his security firm saw a sudden surge of fin-tech corporate customers, after WannaCry and the Zomato hacks.

However, both Bhattacharya and Prakash say that the industry has largely been slow to react, even after high profile attacks on their infrastructure.

For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and subscribe to our YouTube channel.

Tags: Bug Bounty, ethical hackers, security advisor, Cyber security, Malware, Ransomware, WannaCry, Zomato Hacked
[“Source-ndtv”]

Xiaomi Mi Note 2, Mi MIX Smartphones Aren’t Coming to India in the Near Future

Xiaomi Mi Note 2, Mi MIX Smartphones Aren't Coming to India in the Near Future

HIGHLIGHTS

  • Xiaomi India has confirmed that Mi Note 2, Mi MIX will not come to India
  • This will disappoint buyers looking for a powerful, mid-range phablet
  • The company also did not launch Mi Note, Mi Note Pro and Mi 5s in India

Xiaomi has some disappointing news for fans in India looking forward to get their hands on the company’s newMi Note 2 and Mi MIX smartphones. The company has said that it currently has no plans to launch the new smartphones in the Indian market.

The company’s confirmation to Gadgets 360 will dishearten many a buyer in India looking for a powerful mid-range phablet, as well as those who are looking for an alternative to the now-defunct Samsung Galaxy Note 7.

(Also see: Which Is the Right Samsung Galaxy Note 7 Replacement, Xiaomi Mi Note 2 or Google Pixel XL?)

Xiaomi has previously shied away from releasing its most powerful smartphones in the Indian market, such as last year’s Mi Note, Mi Note Pro, and or even this year’s Mi 5, which took a while to arrive. There has been no official announcement regarding the India launch of Mi 5s and Mi 5s Plus, unveiled in September this year, so far either.The Android 6.0 Marshmallow-based Xiaomi Mi Note 2 sports a 5.7-inch full-HD (1080×1920 pixels) Oled dual-curved display and is powered by the 2.35GHz quad-core Snapdragon 821 Performance Edition SoC. It bears a 4,070mAh battery and Quick Charge 3.0 fast-charging technology, along with a fingerprint sensor on the home button. The smartphone comes in two configurations: 64GB storage + 4GB RAM, and 128GB storage + 6GB RAM.

The Xiaomi Mi Note 2 sports a 22.5-megapixel rear camera with a Sony IMX318 Exmor RS sensor, and an 8-megapixel Sony IMX268 Exmor RS sensor. Connectivity suite of the smartphone includes 4G-LTE (downlink speeds up to 6000Mbps), Wi-Fi, NFC, Bluetooth 4.2 and USB Type-C. Also on board is the Aqstic audio processor, with 192kHz/24-bit Hi-Fi sound quality.

On the other hand, the Mi MAX is a concept smartphone that will be sold in limited quantities in China. Its highlight is the 6.4-inch bezel-less display that gives it a 91.3 percent screen-to-body ratio; along with that, the smartphone has a ceramic body and piezoelectric acoustic ceramic earpiece speaker. The Xiaomi device is powered by a 2.35GHz quad-core Snapdragon 821 SoC, coupled with 4GB/ 6GB RAM, and packs a 4400mAh battery with Quick Charge 3.0.

Xiaomi has included a 16-megapixel rear camera with PDAF on the back and a 5-megapixel camera in front. Apart from 4G LTE support, connectivity options on board include GPS/ A-GPS, NFC with Mi Pay support, Bluetooth v4.2, Wi-Fi 802.11ac, and a USB Type-C port.

Xiaomi Mi Note 2

Xiaomi Mi Note 2

  • KEY SPECS
  • NEWS

Display

5.70-inch

Processor

quad-core

Front Camera

8-megapixel

Resolution

1080×1920 pixels

RAM

4GB

OS

Android

Storage

64GB

Rear Camera

22.56-megapixel

Battery Capacity

4070mAh

Also See
  • Amazon
    Xiaomi Mi 4i (White, 16GB)
    Rs. 7,800
  • Amazon
    Xiaomi Mi Max Prime (Gold, 128GB) –
    Rs. 19,999
  • Amazon
    Xiaomi Mi 5 (White, 32GB) –
    Rs. 24,995
Xiaomi Mi MIX

Xiaomi Mi MIX

  • KEY SPECS
  • NEWS

Display

6.40-inch

Processor

quad-core

Front Camera

5-megapixel

Resolution

1080×2040 pixels

RAM

4GB

OS

Android 6.0

Storage

128GB

Rear Camera

16-megapixel

Battery Capacity

4400mAh

Also See
  • Amazon
    Xiaomi Mi 4i (White, 16GB)
    Rs. 7,800
  • Amazon
    Xiaomi Mi Max Prime (Gold, 128GB) –
    Rs. 19,999
  • Amazon
    Xiaomi Mi 5 (White, 32GB) –
    Rs. 24,995
Tags: Xiaomi, Xiaomi India, Xiaomi Mi Note 2, Xiaomi Mi MIX, Xiaomi Mi Note 2 in India, Xiaomi Mi MIX in India
[“Source-Gadgets”]