Hacking: What was once a phenomenon confined to North America has now become a global trend. In Asia Pacific, the number of hacker-powered security programs has grown by 30% year on year. Hackers in the US earned 19% of all bounties last year, with India (10%), Russia (6%), Canada (5%) and Germany (4%) rounding out the top 5 highest-earning countries in 2018.
India? Yes India. In fact, HackerOne’s Hacker-Powered Security Report 2019 shows that US$2,336,024 of the bounties awarded in 2018 flowed to the ethical hacker community in India.
Now, you may wonder - Who are all these hackers?!
Meet Shivam Vashist, hacker with HackerOne. Based in India, Shivam, better known by his handle @Bull, is a full-time hacker. Shivam quit the traditional route of going to college and getting a desktop job and opted to pursue hacking as a full-time career. Over the past few years, he taught his brother the ropes of hacking, helped his dad retire, and took his family travelling around the world!
We sat down with Shivam today to find out more about why he does what he does, and his opinion on the cybersecurity landscape in India.
Hey Shivam! Firstly, can you tell us a little about yourself?
My name is Shivam Vashisht (aka by hacker handle bull https://twitter.com/v0sx9b ) or you can find me on HackerOne’s page at https://hackerone.com/bull. I am 23 years old, and I was doing Mining Engineering before I switched to ethical hacking full time for a living.
What age did you start hacking?
I started learning more about computers and the ethical hacking world when I was about 19 years old.
Was your family supportive?
They were worried in the beginning. However, they came to understand what I was doing over time, and know that an ethical hacker is completely legal, and a viable career. Since then, they have been very supportive.
What made you decide to become a full-time hacker?
Well, it was a lot more exciting for me to do this than the traditional route of going to college and getting a job. With ethical hacking, I can get paid for my efforts and push my potential, it is more rewarding than a traditional job in my opinion. Being an ethical hacker is perfect for me, as I can work whenever I want,, and from wherever I want. There is a lot of flexibility. Through hacking, I am able to learn a lot more as I move along. And, I can get paid pretty well.
What are some of the pros and cons of being a full-time hacker?
Being a full-time hacker, I think the pros are the flexibility to work from anywhere in the world, and on your own schedule You are essentially your own boss, and there’s also the potential to make a ton of money. For the cons, I feel that earnings may not be consistent, there may be burnouts, and no social life.
How long (on average) do you spend your time hacking a day or per week?
On average, I am spending about 15 hours a week hacking. However, it varies from time to time, depending on my schedule. Some days, I might be working on something for days continuously, while at other times I may not be hacking for weeks.
What type of bugs do you like?
I like to find mostly server side bugs such as Server Side Request Forgery (SSRF), Remote Code Execution (RCE), SQL Injection (SQli), and failing cryptographic validations. I also like finding logical bugs, Cross-Origin Resource Sharing (CORS) / OAuth misconfigurations and chain simple client side bugs for more impact.
What bug are you most proud of?
There is a vulnerability I found in a robust application where users are given very fine, granular control. I started looking at these controls within the application to see if it can be misused in its default setting, which led to my discovery of a ton of user data being leaked. This particular vulnerability also enabled the ability to get control of other users’ accounts.
I’ve written about some of the vulnerabilities I have found here.
At what age did you earn your first bug bounty? How did it feel?
I earned my first bounty at 20 years old from InstaCart and then MasterCard. It was an incredible feeling, I couldn’t believe I did it! The rush it gave me left me sleepless for days!
What motivates you?
Hacking gives me a high when I am able to think of creative ways to tackle the challenges and discover vulnerabilities that no one has yet found. The feeling when I successfully find a bug makes me feel alive and excited! Hacking is the perfect fit for me, and of course the bounty rewards I get from disclosing valid vulnerabilities are big motivations as well, although not the biggest.
Are there any hackers that you look up to?
Yes definitely! There are so many great hackers out there, but some of them really blow my mind by their creativity and out-of-the-box ways to discover vulnerabilities. Some of these people include @intidc (https://twitter.com/securinti), @filedescriptor (https://twitter.com/filedescriptor), @orange (https://twitter.com/orange_8361), @jobert (https://twitter.com/jobertabma), @albinowax ( https://twitter.com/albinowax ), @andre ( https://twitter.com/0xacb) just to name a few!
What do you think of bug bounty programs? Should all companies have it?
A bug bounty program is one of the best ways to do security. The sheer reach of the talent pool of hackers from all over the world is so powerful, and that’s what makes bug bounty programs successful. I feel that every company should consider having a bug bounty program in place.
What is your opinion on the cybersecurity landscape in India?
India is getting more digitized by the day, but I believe that computer security does not get nearly enough attention as it should, and there are probably a lot of vulnerabilities in our systems that are left unchecked. More cybersecurity awareness is needed. More education about security solutions and reaching out to the community of ethical hackers might be one of the ways to help.
Do you think hacker-powered security (aka bug bounty programs) is a widely accepted concept in India?
I don’t think it is a widely accepted concept in India yet. I think there are only a few companies in India that have a bug bounty program right now. However, I do foresee that the adoption rate will rise in the coming years.
What advice would you give to aspiring ethical hackers?
Read a lot! Follow other fellow hackers to see how they are finding bugs, keep trying and going for impactful bugs, as it will also give you a chance to practice and hone your skills.