Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



India’s Ethical Hackers Rewarded Abroad, Ignored at Home

Kanishk Sajnani did not receive so much as a thank you from a major Indian airline when he contacted them with alarming news — he had hacked their website and could book flights anywhere in the world for free.

Kanishk Sajnani did not receive so much as a thank you from a major Indian airline when he contacted them with alarming news — he had hacked their website and could book flights anywhere in the world for free.

It was a familiar tale for India’s army of “ethical hackers”, who earn millions protecting foreign corporations and global tech giants from cyber attacks but are largely ignored at home, their skills and altruism misunderstood or distrusted.

India produces more ethical hackers — those who break into computer networks to expose, rather than exploit, weaknesses — than anywhere else in the world.

The latest data from BugCrowd, a global hacking network, showed Indians raked in the most “bug bounties” — rewards for red-flagging security loopholes.

Facebook, which has long tapped hacker talent, paid more to Indian researchers in the first half of 2016 than any other researchers.

Indians outnumbered all other bug hunters on HackerOne, another registry of around 100,000 hackers. One anonymous Indian hacker — “Geekboy” — has found more than 700 vulnerabilities for companies like Yahoo, Uber and Rockstar Games.

Most are young “techies” — software engineers swelling the ranks of India’s $154-billion IT outsourcing sector whose skill set makes them uniquely gifted at cracking cyber systems.

Advertisement. Scroll to continue reading.

“People who build software in many cases also understand how it can be broken,” HackerOne co-founder Michiel Prins told AFP by email.

But while technology behemoths and multinationals are increasingly reliant on this world-class hacking talent, just a handful of Indian firms run bug bounty programs.

Information volunteered by these cyber samaritans is often treated with indifference or suspicion, hackers and tech industry observers told AFP.

Anand Prakash, a 23-year-old security engineer who has earned $350,000 in bug bounties, said Facebook replied almost immediately when he notified them of a glitch allowing him to post from anyone’s account.

“But here in India, the email is ignored most of the time,” Prakash told AFP from Bangalore where he runs his own cyber security firm AppSecure India.

“I have experienced situations many times where I have a threatening email from a legal team saying ‘What are you doing hacking into our site?’”

Sajnani, who has hacked around a dozen Indian companies, said he was once offered a reward by a company that dropped off the radar once the bugs were fixed.

“Not getting properly acknowledged, or companies not showing any gratitude after you tried to help them, that is very annoying,” the 21-year-old told AFP from Ahmedabad, where he hunts for software glitches in between his computer engineering studies.

– Attitudes changing –

An unwillingness to engage its homegrown hackers has backfired spectacularly for a number of Indian startups, forcing a long-overdue rethink of attitudes toward cyber security.

In 2015, Uber-rival Ola launched what it called a “first of its kind” bounty program in India after hackers repeatedly exposed vulnerabilities in the hugely-popular app.

This month Zomato, a food and restaurant guide operating in 23 countries, suffered an embarrassing breach when a hacker stole 17 million user records from its supposedly secure database.

The hacker “nclay” threatened to sell the information unless Zomato, valued at hundreds of millions of dollars, offered bug hunters more than just certificates of appreciation for their honesty.

“If they were paying money to the good guys, maybe ‘nclay’ would have reported the vulnerability and made the money the right way,” Waqas Amir, founder of cyber security website HackRead, told AFP by email.

The incident was especially galling for Prakash. He had hacked Zomato’s database just two years earlier, and said if they listened to him then “they would never have been breached in 2017.”

In a mea culpa rare for an Indian tech company, Zomato agreed to launch a “healthy” bounty program and encourage other firms to work with ethical hackers.

“We should have taken this more seriously earlier,” a Zomato spokeswoman said in a statement to AFP.

The Zomato hack, and panic surrounding this month’s global WannaCry cyber attack, comes as the Indian government aggressively denies suggestions its massive biometric identification program is susceptible to leaks.

The government has staunchly defended its “Aadhaar” program, which stores the fingerprints and iris scans of more than one billion Indians on a national database, and has accused those who have raised concerns of illegal hacking.

Prakash said it was vital the government embrace its own through a program like the “Hack the Pentagon” initiative, which last year saw 1,400 security engineers invited to poke holes in the US Department of Defense’s cyber fortifications.

“The Indian government definitely needs a bounty programme to make their system more secure,” Prakash said.

Written By

AFP 2023

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.