IE 11 is not supported. For an optimal experience visit our site on another browser.

U.S. companies don't fear these foreign hackers — they pay them

Young and self-taught, they can make thousands of dollars for a finding a single bug.
Silhouette of male hand typing on laptop keyboard at night
Computer keyboardAndrew Brookes / Getty Images

Most days, Akhil George spends a few hours trying to hack companies from his home in Bangalore, India.

And he is paid well for his efforts.

George, 20, is what is known as a “white hat” hacker — someone who helps companies test their security systems to guard against intrusions from hackers with more nefarious motives. Over the past year, he has privately submitted 70 software bugs through so-called bug bounty programs, which offer cash rewards for each flaw found.

George is one of an increasing number of young, self-taught hackers in India who are making thousands of dollars through bug bounty programs, often more than they could make in a traditional 9-to-5 job.

Cybersecurity is already big business. Companies are projected to spend $96 billion on digital safeguards in 2018, according to the market research firm Gartner. Bug bounty programs, also called vulnerability rewards programs, are just one part of that industry, but it is one that offers the opportunity for individuals to hone their skills and make money.

Most major tech companies have their own bounty programs and have paid millions of dollars to ethical “white hat” hackers. Google recently awarded a teenager in Uruguay $36,000 for finding a bug.

Hackers can operate from anywhere in the world, with a majority of payouts being made in the U.S., according to a new report from Bugcrowd, a bug bounty platform used by MasterCard, Western Union, Twilio and dozens of other companies.

The U.S. may have the most participants in bounty programs, but hackers in India are submitting the most vulnerabilities, accounting for 30 percent of the submissions Bugcrowd reviewed last year, according to the report. That indicates that Indian hackers are finding the smaller bugs that are often missed by their American counterparts.

“India is a country that is full of very smart, driven people,” said Casey Ellis, chief technology officer and founder of Bugcrowd. “There’s an opportunity to make money, and for the folks who are there and think like hackers, they can engage pretty quickly and see a reward.”

Whether in India or around the world, Ellis said bug bounty programs are continuing to grow, largely based on the appeal of security-minded people who can “think like a criminal, but have no desire to be one.”

Pranav Hivarekar, 24, who lives in the western state of Maharashtra, hunts bugs full time.

“I tried for eight months without any bugs,” Hivarekar said in an email. “Then I read ‘Web App Hacker’s Handbook,’ then made my way into bug bounties.”

He’s scored sizable payouts for some of the bugs he’s found this year, from companies such as Facebook and Snapchat.

Both companies run bug bounty programs that reward ethical hackers. Facebook runs its program in-house, while Snapchat works with a Bugcrowd competitor, HackerOne.

Bug bounty programs are becoming more common and more essential to securing the internet, according to Ellis. Bugcrowd’s report found payouts have increased 36 percent over the past year. Of the bugs identified by ethical hackers, 20 percent were classified as critical vulnerabilities with the potential to wreak serious havoc if exploited by bad actors.

Three-quarters of the most serious vulnerabilities, classified as P1, now pay more than $1,200 — up from $926 last year. But finding a critical bug can net some hackers paydays as big as $250,000, based on a review of bug bounty programs.

But the security industry is also facing another potential threat. By 2020, there will be an estimated 1.5 million unfilled security positions, according to a Global Information Security Workforce Study, released last year.

Ellis said he “looks at the bug bounty model as a way to bridge that gap.”

“What it comes down to is we need more people,” he said. “We need to build out an army of folks prepared to step up and act as defenders of the internet.”