Niva Shah, a medical student at the Janaki Medical College, was usually pretty occupied with her reading and exams before the Covid-19 pandemic. However, she got an ample amount of time at her disposal when the second lockdown was imposed, post the Covid-19 second wave in Nepal. “One day, my brother [Nikesh] started telling me about bug bounties. When he was explaining, the concept seemed very interesting to me,” Shah shares, “So in that spare time, as my exams were over by then, I started learning about bug bounties, surfed YouTube and learned how to report the bugs.” Some two-and-a-half months later, Shah bagged the bounty and earned USD 1,000 from Facebook, in a week after she reported the bug.
Shah is among the many youths who were inspired to get into bug bounty hunting during the lockdown. In fact, the already increasing tilt towards the lucrative award system got a boost after Routine of Nepal Banda, a popular Facebook page among Nepalis, started posting frequent appreciation posts for the same.
The oldest appreciation post public on the social media page was of October last year with a post about Prava Basnet, who won USD 3,000 from Facebook and also was quoted to be the ‘first Nepali female’ to be listed on Facebook’s white hat thanks page (2020). To date, the RONB page has posted 14 public posts. Given the impact the page has on Nepali youth, such posts have encouraged many youngsters to earn easily, from the comfort of their homes.
While the stakeholders still do wish that Nepali cyberspace thrives, security researchers and cybersecurity experts, however, have expressed their disappointment on the blind, herd-like mentality that has been growing among the youth.
Why the objection?
“It is good news that the youth are inspired to be active in the field by the success stories posted online. But, what is not good is that they are getting into this field for monetary gain and not for ethical reasons,” expresses Nirmal Dahal, the head of security at Cryptogen Nepal, a cybersecurity company.
Rikesh Baniya, a cybersecurity enthusiast, also says that the youth are getting the wrong idea about what bug bounty really is, which lacks the knowledge about cybersecurity.
Dahal and Baniya both add that neither cybersecurity nor hacking is an easy job. But after seeing the frequency of such appreciation posts on pages like the RONB, people start having high expectations and think hacking and bug bounty are easy feats.
Baniya explains, “It takes time for people to learn about bug bounty hunting. An individual needs about six months to learn well about bug bounty. However, during the times like lockdown, when one has free time, one can even do it in about two to three months. But just based on the success stories, people expect the result almost instantaneously. On the contrary, when the results take time, when there are trials and errors, people start feeling depressed and they start doubting their own capabilities, inviting more troubles.”
Shah adds her experience here, saying, “I tried four times prior as well. But, Facebook responded to my claims as duplicate or non-applicable etc. The one I claimed also required some back and forth with the Facebook team to confirm. That is a hassle for sure.”
Baniya himself started active bug bounty hunting in 2019 and is currently ranked fourth on Facebook’s 2021 thanks page. “My first bounty was 150 AUD. That happened after months of learning the whole process on the internet. My aim was to learn the ways, deepen my knowledge and earn some pocket money in the process,” he explains, “So at most, I used to claim about USD 50 to 100 on a monthly basis, that was my plan and it was enough. But later, I started detecting and reporting more bugs with higher impact too and earned more from that.”
Dahal says people’s limited knowledge about bug bounty hunting has been a problem in Nepal. “The appreciation posts on the RONB are not the only kind of bounty hunting one can do. The platform is vast and internationally practised. But, the said posts are almost limited to Facebook bounty claims. Hence, people need to research more and make informed decisions.”
He further explains, “Almost half the posts have people who have claimed USD 500 as bounty. This is a good thing, of course. But, the amount is the lowest that Facebook has set. As Facebook has high stakes when it comes to privacy, it considers the smallest of errors too and awards those who report. So those who have claimed USD 500, maybe once or twice, from Facebook, I would say, are not necessarily ethical hackers or cybersecurity enthusiasts. Meaning, they do not have long-term careers in this field.”
Shah explains her bounty claim, “I was using Facebook Lite, where I logged in but chose the option to not save the password. But, I realised that the app was storing my password regardless of that. I reported this bug or error, and it got accepted.” However, Shah, who sees her career in the medical field, expresses that she will continue to learn more about the field and continue reporting whatever she can.
Baniya adds that there have been cases of false acceptance from Facebook, and for him, this factor further weakens the genuineness of appreciation for the reported bugs.
Need for accountability
Shedding light on one more aspect of this trend, Dahal and Baniya say there is a need for pages, news media and even the individuals to be accountable and responsible.
Dahal says, “In these recent times, there have been a few fake cases. People have doctored the screenshots and claimed to have been awarded, simply to be featured on popular media platforms. Whereas there have been some errors of judgment from their sides as well, social media pages, as well as media outlets, were seen reposting the said bounty claims from individuals, without any fact-checking.”
“Responsibly, they have removed their posts, once they realised the previous claims were fake. But, there needs to be more accountability from popular media platforms, and prioritisation regarding who to feature and for what reasons,” he adds.
On this, a RONB founder and admin Victor Paudel admits the error. “We started posting appreciation posts when people in our own circle reported many incidents of people claiming bug bounties. Some were genuine and we believed them. Our motive was to only appreciate the time and effort it takes for the feats. But, errors occurred when we failed to check those who made repeated claims.”
With assurance to rectify their mistake, Paudel informs they have decreased the frequency of the posts already regardless of the consistent number of requests they still get from their followers. “We are asking for solid proof of evidence, cross-checking them dedicatedly, and consulting other cybersecurity professionals from the circle to not repeat the same mistakes.”
Paudel, who is an IT student, also admits there is a lack of awareness among all regarding what bug bounty is. “Many young people get a reality-check when they get into the field solely thinking it is easy money. It has huge potentials, but one has to realise it comes with a mixed bag of realities.”
Great possibilities for Nepal
Nepal is only starting to make some efforts regarding cybersecurity in Nepal now. In the past decade, when several hacking incidents loomed over Nepal, it shed light on how weak and ignorant the country has been regarding its security arrangements. And, given the weak defensive approach, stakeholders have agreed on multiple occasions that Nepal is an easy target for hackers worldwide. Meanwhile, Dahal and Baniya have agreed that bug bounty hunters can be just the defensive force the country has been lacking.
“It is an international practice where big companies set bounties, even in their official websites, for hackers worldwide to try and exploit their vulnerabilities and ethically report back to them. They handsomely award them. And, this becomes a win-win situation for both parties,” Baniya says.
Dahal adds, “Bug bounty gives cybersecurity students and enthusiasts a real-time learning platform where they can hone their skills, learn about vulnerabilities, practise ethical hacking and build their profiles.”
At the same time, he says, “Nepali companies that lack the resources to appoint in-house security cybersecurity team can benefit a lot as well. When a company puts up bug bounties or have a hall of fame or appreciation system [like Facebook, Google], they get 24×7 surveillance for their websites, almost free of cost. Cybersecurity enthusiasts, worldwide, will actively test and point out security lapses in their systems, preventing them from suffering any future losses.”
However, Nepali companies are yet to realise this huge potential. There have been only a couple of events where Nepal-based companies have awarded people for reporting bugs; some are encouraging them too. But, other times, the companies have been known to be ignorant.
“It is already public information that in recent cases of Vianet and Foodmandu data dump, the independent hackers first informed the owners regarding the errors, but when the latter failed to respond to their reports, in vengeance, the hackers dumped the data to teach them a lesson. And, this compromised not just their brand image, but also user data,” explains Baniya, stressing it could have been avoided.