Nepalis go bug-hunting on the web

All photos: SAJANA BARAL

Lucrative financial rewards and the expansion of Internet services  are driving a ‘bug-hunting’  bonanza among Nepali youth who  have time in their hands during the pandemic lockdowns.  

Once the exclusive domain of IT whizes , coders and programmers, bug - hunting has now become an open field for talented Nepali students who offer their services to find potential security gaps in computer systems  or websites of companies like Facebook, Google, and Amazon .

“Bug solving is logical and can be done without much technical background, needing only a knowledge of companies’ guidelines and how sites work,” says Ashok Chapagain, 22, a bug-hunter himself. “Senior expert coders handle advanced-level bug hunting, while we  find simpler problems and report them .”

Bug-hunting is a form of ‘white hat’ ethical hacking in which researchers can be hired to look for and report bugs on company websites and applications. The trend began in 2002 when NetScape offered rewards for researchers, and  it gained popularity as companies found it cheaper and more effective to crowd-source  finding vulnerabilities to third parties.

Many companies across the world offer rewards to those who find security risks or programming mistakes, sometimes running into many thousands of dollars. This has made bug-hunting a full-time profession for many Nepalis.

Privacy is power, Saniaa Shah

“Social media networks have spread the appeal of bug-hunting among youngsters, many of whom have time on their hands during lockdowns,” says cyber security expert Bijay Limbu.

Social media giants such as Facebook and Twitter and large websites have sections that are too vast and difficult for employees to keep  track of, so the task is outsourced to independent researchers. Bug - hunters look into the sites, produce reports with video evidence, and send them to the companies. 

After deciding whether the report is valid, ‘duplicate’  (already reported before ) , or ‘informative’  ( harmless but helpful  reports ) , the company rewards the bug-hunter appropriately via bounty platforms like Bugcrowd and HackerOne. These companies act as brokers between researchers and the companies.  Facebook’s own bug bounty platform WhiteHat is the most popular among Nepali hunters, swelling in ranks especially after 2020 and the lockdowns.

Names such as Sudip Sah, Ajay Gautam, Shantabahadur Gharti Magar, Prajwal Dhungana, Nirmal Thapa, Aayush Pokharel and Eliza Gautam have featured on WhiteHat’s list of External Security Researchers. Nepali bug hunters are also active in screening Google, Microsoft, Amazon, Apple and even Oxford University’s websites for glitches. 

Despite differing in magnitude, all bugs have the potential to create privacy breaches and data leaks for companies. As a result, bug hunters are rewarded handsomely for finding faults, with Facebook’s minimum reward starting at $500 and Apple awarding anywhere up to $1 million. 

In 2020 alone, $1.98 billion was handed out to researchers from 50 nations for finding bugs across various sites and apps.

Many Nepali bug hunters have struck gold digging for bugs, with one of the researcher earning over $100,000 in cash rewards for finding various bugs across one-and-half years of intense research. 

Saugat Pokharel recently earned his 16th and largest payment , pocketing $13,125 when he reported a bug that violated privacy policies and erroneously displayed Instagram users’ dates of birth and email addresses. 

Pokharel and another bug-hunter Naresh Lamgade have now joined forces to launch, their own vulnerability coordination and bug bounty platform. 

“The bank suspected I was laundering money when I received the large cash sum through SWIFT Money Transfer,” says Pokharel. “It was only once I reached out to Facebook and they wrote a letter verifying the source of funds that I could claim the money.” 

Inspired by Pokharel’s bounties, management student 24-year-old Prabha Basnet, has also decided to become a bug hunter. 

“Initially, I had many reports rejected, but then two bugs I reported were accepted together, and I earned $3,000,” she says. “This motivated me to report bugs in Instagram and Facebook stories clashing, and potentially revealing sensitive information about users.”

Aside from the monetary rewards, bug hunting has also changed the landscape of cybersecurity. Increased vigilance from a growing army of spotters means potential bugs causing privacy or security breaches can be caught before they cause major damage. 

Nepal’s patchy cybersecurity state is particularly boosted by this external research boom, as thousands of government sites often go down for hours. Private sites like Foodmandu, Vianet and Prabhu Bank were also recently hacked. In response, some young Nepali bug hunters have developed a local bounty reward program to find breaches and fight hackers. 

Bug hunting and ethical hacking can also be a firewall against ‘black hat’ illegal hacking. Earlier, hackers with malicious intent would steal, leak or sell data obtained via bugs, explains Pokharel. 

“Black hat hackers would undermine the work of white hat researchers,” he says. “But with bug - hunting, even those previously black hat work have switched to just as lucrative legal white hacking.”

Bug-hunting has its natural downside. The monetary rewards mean it sometimes becomes a competitive cyber-stampede, placing considerable strain on the mental health of researchers. The desire to earn more pushes some bug-hunters to their limits, often with undesirable consequences.  

Santosh Bhandari was an accomplished bug-hunter, featuring regularly on Facebook’s list of External Security Researchers and even finishing 15th out of 404 worldwide participants in a live hacking tournament organised by Google and Facebook. 

However, he switched tracks and pursued other cybersecurity activities after suffering mental trauma from the competition and stress. He says: “Bug bounty and mental health are connected. You compile a bug report with so much of your effort and your time and wait so many days for a reply. If the report is accepted, it is all good, but if not your hard work and time are completely wasted and that can disturb you.” 

Prakash Pant from Chitwan has also featured on Facebook’s list, after finding three bugs at once on Facebook in February. Before that, however, he had more than 50 reports rejected as ‘duplicates' or ‘informatives’. 

Prabha Basnet also reports  suffering anxiety after her painstakingly written reports were rejected in the past. She says, “I had 15-16 reports rejected when I started, pushing me to the verge of quitting.”  

Bijay Limbu also warns that the competitive nature of bug-hunting may make youngsters money minded, and some are tempted to demand ransom for bugs they have uncovered. In any case, arbitrarily searching websites and apps for bugs without company invitation could spell legal trouble.

Translated by Kaustubh Dhital from the Nepali original in Himal Khabar.