Digital bounty: A conversation with Anand Prakash who's won crores for reporting bugs

Here’s what Anand Prakash, the ethical hacker who won Rs 2.2 crore by finding bugs in Facebook, Twitter, and Uber has to say about bug bounties, Indian IT infrastructure, and ethical hacking.

Anand Prakash- hacker-01

As our world moves closer towards a digital economy, there is an underlying risk to security. Cybercrime poses a threat to individuals and businesses alike, but also governance in modern times. Today, user data is integrated closely across multiple web services and identifying security back gates, before malicious attackers take advantage, becomes all the more crucial. In such a scenario, ethical hackers or white hat hackers are the ones doing all the rigorous homework and saving businesses and services from global embarrassment.

There was a time when ethical hackers were considered mysterious, often dubious, personalities. But that’s changing. They’ve now evolved as saviors in the world of web security. So much so, that tech biggies the likes of Facebook, Google, and Microsoft invite researchers, hackers, and security enthusiasts to split open their web products and find bugs. The companies pay these security experts anywhere from a few hundred dollars and can go up to thousands. If you are the chosen one, you could also become a regular at such bug-hunting spree and make a fortune out of it.

So does it mean hacking has become the new profession?

Consider hacking as two sides to a coin; in situations if a hacker is helping individuals or organizations build up more secure system then that falls under the white hat group, and in cases when individuals with extensive knowledge about security expose vulnerabilities in systems for accomplishing malicious purposes then they are categorized as dark hackers or black hat hackers. The job of the ethical hackers is to basically stop the dark-intention ones from taking advantage of any existing or new vulnerability in an organization’s online system. ALSO READ: Bengaluru hacker discovers security flaw that allowed free Uber rides

While the growing awareness about the significance of having robust internet security in order to ward off threats has made engineers more cautious while designing their products, it has also led to the growth of an altogether new breed of engineers whose primary task is to discover security back gates and bring it to the notice of organizations before someone else does. It is known that major corporate organizations hire talent that helps them build secure products. It is often an erroneous line of code which might go undiscovered. It is here that these ethical hackers come into action. These hackers may or may not be formally employed by the companies or services they find bugs for, but the amount of money poured in for discovering vulnerabilities is hard to overlook.

In the recent past, a California-based hacker, Gurkirat Singh, exposed a critical Facebook security flaw that took advantage of the site’s password reset mechanism to hack into anyone’s profile. Finding the bug fetched Singh a paltry sum of $500 as it was a low priority finding, but for someone like Anand Prakash, Flipkart security engineer, bug-hunting for companies like Facebook, Uber, and Twitter has added a whopping Rs 2.2 crore to his fortunes. Ask him if bug bounty programs are a sustainable source of income and pat comes the reply, “Yes.”

BGR India engaged in a conversation with the Bangalore-based white hat hacker and here is what he has to say about bug bounties, Indian IT infrastructure, and ethical hacking. 

Money or Good Cause

For Prakash, the driving factor for finding security vulnerabilities in a given web-based product is the amount of data involved. For a network such as Facebook, the data involved is significantly high. Over a billion global users and million pieces of content shared every day, Facebook today is not only at the center of people’s daily communication but also forms as a medium for news/information sharing and base for enterprises. The same calculation applies for Uber and Twitter which have a number of users exchanging information, including something as personal as house address. Prakash told BGR India that while there is money involved in such bug bounty programs, it is more about securing the huge trove of data which is vulnerable.

He further says, “at most of the companies, developers are not aware of basic security hygiene and loopholes. They should have the basic elements of hygiene in place while writing the software code. It is not about these companies not having the right talent, as they have good developers who are already doing their bit in building secure products. But there still lies the need to do more. It is also about making employees aware of the vulnerabilities.” ALSO READ: Any Visa credit or debit card can be hacked in just 6 seconds: Research

If you are one of those inspired and enthused to find big bug for the big bounty, Prakash suggests that ethical hackers in-the-making could hone their skills by reading more about security, learning basic programming languages, opting for online or offline certified courses on ethical hacking instead of opting for random courses. One of the online resources which helped Prakash discover major Facebook loopholes include and OS video series.

What can users and companies do to build more secure systems?

It is estimated that the global cost of cybercrime will reach £4.9 trillion annually by 2021. With a focus on going digital, Indians are slowly embracing the app-based lifestyle. Be it mobile wallets or online shopping, the penetration of internet is growing by leaps and bounds. While the companies and the government are trying hard to protect user privacy, the risk to security is increasing.

Prakash has a few tips for the users:

–  Use stronger passwords

–  Don’t use same passwords

–  Keep systems updated

–  Use on-screen keyboards

For companies, he suggests:

–  More hiring of security engineers

–  Opt for external security audits

–   Make developers/internal employees about the basic security hygiene

–  Have more bug bounty programs to make their systems more secure

Is India doing enough?

A few years ago, it was difficult for ethical hackers to discover bugs in the systems of the companies without getting threats in return. However, given the growing need to add more security to the systems, this has changed. Prakash reveals, “Today companies are more aware of the importance of having secure systems and are making more investment towards the same,” adding that companies are certainly moving in the right direction by beefing up the security of their products.

Given that a lot of mobile wallets today are inter-linked to Aadhaar numbers, bank accounts, phone numbers, etc; does it spell the end of user privacy? ALSO READ: 50 hacking-related cases in one month post-demonetization: TAC Security

“Although the risk is increasing with more personal data being available online, but the solution to this is building more secure systems,” says Prakash. He further explains that with the growth of such digital options, the government is also investing in building secure systems so as to protect end user privacy.

Being labeled an ‘ethical hacker,’ Prakash intends to pass on his skills to students and companies by organizing security workshops, so they could also contribute to the bigger aim of building secure systems.

BONUS VIDEO: Opera Neon Preview

  • Published Date: March 10, 2017 10:52 AM IST
  • Updated Date: March 10, 2017 11:16 AM IST