Meet the young ethical hackers carving a space in a field dominated by Western cyber experts, earning accolades from Big Tech
Representational image. Pic/iStock
Until recently, the words “bounty hunter” evoked imagery of lanky, stubbled men with wide-brimmed hats and boots, stalking the lanes of the Wild West, six-shooters in hip holsters. These gunslingers would make their living by hunting down criminals with rewards on their heads, bringing them in dead more often than alive.
Today, bounty hunters still exist, but in the dark caverns of the Internet. The new-age hunter is armed with skills as he sniffs out weak links in websites and apps, and reports them to the manufacturers. Officially termed “vulnerabilities” in cybersecurity lingo, the common word for them is bugs; and these men, bug
bounty hunters.
ADVERTISEMENT
Almost every major tech firm employs a Responsible Vulnerability Disclosure Programme, where ethical hackers, through relentless testing and research, unearth weaknesses in their system. Taking the same principle forward, companies now have bug bounty programmes, where a bounty is paid to the ethical hacker, depending on the gravity of the bugs unearthed.
Nikhil Rane, 24, Khar resident
Nikhil Rane
Earlier this week, Nikhil Rane made a splash after he was featured in the India Book of Records for reporting no less than 198 bugs over a period of two years. Rane is currently pursuing a Masters degree in Cybersecurity at the University of Bradford, United Kingdom; he has been a bug bounty hunter since 2021, when he uncovered his first vulnerability.
“I acquired a Bachelor in Information Technology degree from Sathaye College [Vile Parle] but didn’t have a high score. I was wondering what to do next when my father suggested I look at cybersecurity. I started training at a private institute run by his friend in Mumbai, where I acquainted myself with the basics. While upscaling myself, I got familiar with bug bounties, and my interest grew,” Rane tells mid-day over a call from the UK.
In December 2021, Rane uncovered a bug in the website of a Netherlands-based firm. The bug enabled a hacker to intercept and manipulate the One Time Password (OTP) system used to create accounts, so that anyone could create an account using an email ID without proper authentication. It was the first bounty he earned. At Bradford, a professor realised Rane’s passion for bug hunting and published a blog about him on the university website. It travelled far and some 30 news media outlets featured him.
Rane has scores of bounties under his belt. Not all bug discoveries are rewarded with money, though. In some cases, you get “swags”— T-shirts or medals that acknowledge the effort. In other cases, you get featured in the Hall Of Fame section of the concerned website, like Google, Apple or Microsoft.
If there is one thing Rane rues, it is the approach of Indian companies towards vulnerability disclosure. “Foreign companies respond to you even if they are rejecting your findings. Most Indian companies don’t bother to reply to an email. They’d rather secure their business than secure their data.”
Onkar Borude, 21, Ahmednagar resident
Onkar Borude
At first, Borude comes across as an unassuming young man with a rural Marathi accent. But on the keyboard, he is a warrior holding his own amidst a sea of experts.
“My journey began four years ago when I made a friend online, who introduced me to the concept of ethical hacking. Through that, I became familiar with cybersecurity and bug bounty hunting, and the idea of helping organisations be more secure by reporting their vulnerabilities appealed to me immediately,” says Borude.
For the next one year, he watched hundreds of videos, attended seminars and webinars and read blogs, teaching himself the skills required for bug bounty hunting. A year later, in 2020, he reported his first bug to Offensive Security, a New York-based company working in information security. He found that the link to their social media accounts at the bottom of their home page was faulty, and the bug allowed anyone to create a social media account in the company’s name. After that, there was no looking back.
Today, Borude has over 250 bugs under his belt—over and above the 100 that he has reported to Indian government websites, has earned over R60,000 in bounties and boasts of numerous Hall of Fame appearances and swags.
“I feel Indian companies look at certificates over skills. They are more responsive towards those with certificates in cybersecurity, not to those who have skills but may not be able to afford a course. Besides, there is severe lack of awareness when it comes to cybersecurity. It is not talked about enough. I learned about it when I had already enrolled for my graduation in Engineering,” he says.
Sourajeet Majumder, 20, Bengaluru resident
Sourajeet Majumder
Originally from West Bengal, Sourajeet Majumder now lives in Bengaluru. He made a major breakthrough earlier this year, when he was able to get to the root of a vulnerability in the WB government’s Aadhar Enabled Payment System (AEPS), a mode of payment that works though Aadhar-linked kiosks. Amid rising cases of money theft through manipulating the AEPS, Majumder found that he could, using a publicly available online tool, break into the data vaults of a state government website and steal citizens’ biometrics. Using these, cybercriminals could steal their money through AEPS. He reported his findings to the government and the vulnerability was patched within two days.
“Hacking as a term has a stereotype attached to it. It evokes images of men in hoodies typing away furiously and creating magic with their keystrokes. Ironically, it was this stereotype that got me interested. Soon, I discovered the difference between malicious hackers and ethical ones, and the bug bounty programmes, which really caught my attention,” says Majumder.
He learned everything he knows about hacking from online forums where ethical hackers share their knowledge and latest findings for others to refer to, and reported his first bug to a government website in 2019. Today, he has 50 bug bounties under his belt from Apple, Google, Bosch, Tumblr and Domino’s, and his feat with the AEPS system this year made him a name to be reckoned with.
“I have seen start-ups that have brilliant vulnerability disclosure mechanisms. And I’ve also encountered top companies that don’t even have an email ID one can report a bug to. Sometimes, when researchers report bugs to companies, they are threatened with legal action for testing the website without permission, while the severity of the bug is ignored!”
Manthan Mahale, 18, Thane resident
Manthan Mahale
If there was an example of a teenager turning into an expert ethical hacker while living out of his parents’ basement, it has to be Manthan Mahale. He taught himself everything he knows about ethical hacking through YouTube videos and other publicly available resources, when he was all of 16. “It began as an attempt to find unsecured Wi-Fi routers so that I could connect to the Internet for free,” laughs Mahale. “But the field is fascinating; the more I read or watched videos, the deeper I got sucked in.”
Through online discussion forums and social media, he wormed his way into hacker communities and began learning from experts in the groups. His moment of reckoning came in 2021, when he found a vulnerability in a German company site that lets you create online questionnaires, like the ones used in market research surveys.
“You need to create an account in order to create a form, and through this account, you can store and access your data in the company’s server. Using a commonly available automated tool, I was able to discover a bug that let me access anybody else’s data with a little bit of manipulation,” says Mahale, who is pursuing a Bachelor of Engineering degree from the Indira Gandhi College in Ghansoli.
The spunky teen has reported 600 bugs to various big names, including McDonald’s and Google. He has earned cash rewards for two bugs from Google, has been featured in the tech giant’s Hall of Fame and was included in their Google Top Hunters list last year. But, he says, he is just getting started.
“Bug bounty hunting is just one part of the vast internet. There are more serious forms of cybersecurity research that I have set my sights on. With blockchain technology becoming the latest thing, there is serious scope for vulnerability researchers and I am still educating myself.”
Subscribe today by clicking the link and stay updated with the latest news!" Click here!
