Nepali youths take to hunting bugs online

Bugs have forever vexed humans. Even in the digital world, they exist everywhere—in mobile applications, on websites, and on internet platforms. All netizens have probably encountered some form of these ‘bugs’ at least once, even when randomly scrolling Facebook or Twitter. But many are unaware that reporting valid bugs to developers may lead them to a bounty!

A bug bounty program is an opportunity to earn money by exploring apps and websites and reporting any found bugs or vulnerabilities to the developers.

Many Nepali youths under the age of 25 have gotten these bounties from various companies, and they are being recognized at national and international levels. Saugat Pokharel, 22, from Kathmandu, who is currently studying physics at the Amrit Science Campus, received his first bounty of $2,000 from Facebook two years ago. He discovered a bug while messaging from his Facebook page “Students of Nepal,” reported it immediately, and was rewarded. At the time, Pokharel did not know he would get paid for just reporting a bug.

Saugat Pokharel

He now has tools and basic coding skills to help hone his hunting skills. “I have been rewarded by different companies, perhaps 16-17 times in all,” he says. So far, Pokharel’s single-highest bounty has been $13,000 that he got from Instagram for reporting exposed users’ date of birth and email address, jeopardizing their privacy.

Binit Ghimire, 20, a second-year Bachelor in Computer Engineering student from Chitwan, received his first bounty of $750 from Facebook in November 2018, just after around 3-4 months of starting bug hunting. By now, over 70 companies and organizations have thanked Ghimire for helping them secure their digital assets and systems through bug hunting. “In the process, I have earned over $10,000,” he says.

Binit Ghimire

Even teenagers are stepping into the field. Sudip Shah, 18, a grade 12 student from Pokhara who started hunting during the 2020 lockdowns, got a bounty of $500 on his first valid submission for a bug related to information disclosure. He had found an unusual error whereby users could see the names of the Facebook page’s admins, and reported it to Facebook Safety Center. “Before that, I had submitted over 50 reports to Facebook and over 30-40 reports to other bug bounty programs,” he says.

Shah was inspired by his first reward and started looking for security loopholes on different platforms. He even got into Facebook’s Hall of Fame (where Facebook lists and thanks people for a responsible disclosure) in August 2020. Shah has till date made around 10 valid submissions to Facebook alone.

Sudip Shah

Hacker to hunter

Ajay Gautam, 22, from Kupondole, Lalitpur, is a tech enthusiast who started wi-fi hacking from his childhood. When the news of bug bounty programs started circulating on social media, Gautam, who now has a Bachelor's degree in computing and is working at Nassec, a cybersecurity firm, felt it might be his cup of tea. He started in 2016.

Ajay Gautam

“I was number 23 on Facebook’s Hall of Fame 2020. Besides Facebook, I have also worked as a bug hunter for different private companies from Australia, Singapore, and other counties,” he says. Gautam has gotten the highest single bounty of $5,500 for tracking a vulnerability in Instagram messaging.

Prava Basnet, 24, a management student from Kathmandu, recently got $3,000 from Facebook for finding bugs in Facebook and Instagram. One bug made Instagram share stories with Facebook without the users’ consent. The next one she discovered was a bug related to linked accounts on Facebook and Instagram, which in turn increased chances of the accounts being hacked.

Prava Basnet

A post about Saugat Pokharel on the Facebook group 'Routine of Nepal Banda' caught her eye six months ago. Curious, she did a little Google research and found that such bugs could be reported even by someone without technical skills—and she could get better at it with practice. That was for her the start of a career.

A common misconception about bug bounty hunting is that it requires strong knowledge in coding and programming. Of course, that could be helpful, but it’s not a prerequisite. The level of skills you need depends on the type of bugs you are hunting, say those ApEx talked to. Most say they are into bug hunting as freelancers.  

Sometimes, companies launch hunting programs for registered hunters on platforms like Bugcrowd. When somebody reports a valid bug, the company issues a bounty. Facebook has its bug bounty program called the Whitehat where users can report security bugs. Twitter users can report possible vulnerability to its security team through HackerOne, a bug hunting platform.  Chances of finding bugs are high whenever a website or app launches new features. Not all the reports bug hunters send are valid though.

Nepali companies unaware

Though many Nepalis are into it, most Nepali companies still don’t have good bug bounty programs and thus Nepali hunters mostly report to international companies.

Even globally, bug hunting is a new concept, coming into practice in earnest only after the start of Bugcrowd in 2011, according to Pokharel. Bug hunting could be a serious career option for many if more Nepali companies offered such bounties.

For Ghimire, bug bounty hunting in Nepal is still in a primitive phase. One reason is that Nepali hunters mostly focus on Facebook and Instagram. Perhaps they are easier platforms to find bugs, Ghimire adds. “Nepali companies should also start giving bug bounties to help secure their systems,” he suggests.

According to Shah, many Nepali companies are unaware that they can control data leakage and discover other cyber vulnerabilities on their websites through a bug hunting program. Even when such programs are launched locally, payments are meagre. “They need to do more, even for their own sake,” Shah recommends.