India's Ethical Hackers Rewarded Abroad, Ignored at Home

An anonymous reader shares an article: Kanishk Sajnani did not receive so much as a thank you from a major Indian airline when he contacted them with alarming news -- he had hacked their website and could book flights anywhere in the world for free. It was a familiar tale for India's army of "ethical hackers," who earn millions protecting foreign corporations and global tech giants from cyber attacks but are largely ignored at home, their skills and altruism misunderstood or distrusted. India produces more ethical hackers -- those who break into computer networks to expose, rather than exploit, weaknesses -- than anywhere else in the world. The latest data from BugCrowd, a global hacking network, showed Indians raked in the most "bug bounties" -- rewards for red-flagging security loopholes. Facebook, which has long tapped hacker talent, paid more to Indian researchers in the first half of 2016 than any other researchers. Indians outnumbered all other bug hunters on HackerOne, another registry of around 100,000 hackers. One anonymous Indian hacker -- "Geekboy" -- has found more than 700 vulnerabilities for companies like Yahoo, Uber and Rockstar Games. Most are young "techies" -- software engineers swelling the ranks of India's $154-billion IT outsourcing sector whose skill set makes them uniquely gifted at cracking cyber systems.

Statistical fallacy

[SeattleLawGuy]

This is puzzling. One day we are told 95% of indian engineers cannot code, and the other day India has huge number of highly skilled hackers.

There is a Supreme Court Case where the court said traffic stops must be dangerous because a large number of police officers are injured every year while performing traffic stops. But the logic is bad. Without knowing how many total traffic stops there are you cannot really look at the risk of performing one.

Similarly, even if 95% of engineers cannot code, they can still have more good engineers if there are enough of them--or can have more decent engineers working on this particular set of problems.

It's also worth pointing out that (1) there are a lot of great Indian engineers who are not in India, (2) the 95% number you are pointing to was done by a company with an incentive to skew it one way, and (3) the people finding the bugs may not be a great match for the ideal job candidate but still have basic hacking skills.

Re:That is not what "ethical hacker" means

[XparXnoiaX]

ethical and illegal are two very different things. An ethical person will do illegal things, if they are the right thing (like Snowden. Super illegal). Don't let the illegality of it confuse you. What they are doing is dangerous, but finding mistakes and letting the world know is the ethical thing to do.

The unethical ones in this situation are the companies who released their code without a security review. Those managers didn't give the programmers (or QA) extra time in the sprint to test for security bugs.