“India is a country that is full of very smart, driven people,” said Casey Ellis, chief technology officer and founder of Bugcrowd. “There’s an opportunity to make money, and for the folks who are there and think like hackers, they can engage pretty quickly and see a reward.”
Whether in India or around the world, Ellis said bug bounty programs are continuing to grow, largely based on the appeal of security-minded people who can “think like a criminal, but have no desire to be one.”
Pranav Hivarekar, 24, who lives in the western state of Maharashtra, hunts bugs full time.
“I tried for eight months without any bugs,” Hivarekar said in an email. “Then I read ‘Web App Hacker’s Handbook,’ then made my way into bug bounties.”
He’s scored sizable payouts for some of the bugs he’s found this year, from companies such as Facebook and Snapchat.
Both companies run bug bounty programs that reward ethical hackers. Facebook runs its program in-house, while Snapchat works with a Bugcrowd competitor, HackerOne.
Bug bounty programs are becoming more common and more essential to securing the internet, according to Ellis. Bugcrowd’s report found payouts have increased 36 percent over the past year. Of the bugs identified by ethical hackers, 20 percent were classified as critical vulnerabilities with the potential to wreak serious havoc if exploited by bad actors.
Three-quarters of the most serious vulnerabilities, classified as P1, now pay more than $1,200 — up from $926 last year. But finding a critical bug can net some hackers paydays as big as $250,000, based on a review of bug bounty programs.
But the security industry is also facing another potential threat. By 2020, there will be an estimated 1.5 million unfilled security positions, according to a Global Information Security Workforce Study, released last year.
Ellis said he “looks at the bug bounty model as a way to bridge that gap.”
“What it comes down to is we need more people,” he said. “We need to build out an army of folks prepared to step up and act as defenders of the internet.”