Indian Bug Bounty (BB) researchers are highly respected professionals by foreign corporations and make good money. Hundreds of these young folks have high places in the Halls of Fame (HoF) set up by the whos-who of global corporations like Microsoft, Google, Facebook, Twitter etc. They are making money, getting recognition and gifts from all over the world.
And they are paying taxes on their income!
Unfortunately, hardly any Indian organization (government or private) is engaging well with any BB professionals. And the few companies which have BB programs pay out small change (it may be better not to pay any money and just have a HoF).
In any case, since Indian organizations think that these BB guys cannot be trusted (or whatever), I decided to get these guys to share their point of view about the Government and Corporations. Read on for some free advise and a lot of common sense guidance!
BB Professional # 01
This is the first professional to respond and as more responses are received their voices will be added to this blog. The response has not been edited and is reproduced verbatim and the individual is not identified for obvious reasons.
Q 1. What is your biggest hassle with Indian government
- I’ve worked with a reputed police force IGP/IPS in India and I found them to be extremely slow. We required rapid decisions. But the issue was, all decisions were taken via a committee and not members were present all the time. As a result, we had to wait unbearably long to get approvals for simple things. Lesson we learned is, government works at the speed of tortoise and if you are dealing with them – start early and expect a lengthy process.
So, biggest hassle with government is slow response – if you’re lucky enough to even get one.
Q 2. What’s your biggest hassle with Indian companies
- For business purposes, I contacted lot of companies in both India and China. This is specific to electronic manufacturing industry. And major difference I found was lack of proper communication. When I was working on badges for a conference, we had to outsource few processes to make it extra-ordinary. However, out of all manufacturing people I contacted, only 1 responded. Mind you, I contacted like 50 of them. And I even went onto call them and say “I’ve sent you email. Please check it and let me know if you …. let me know if you’ll be able to do it. Not a single response.
- Compare that to China, the moment I landed on Alibaba, I found Chinese extremely eager to contact me and lead the project. This was the primary reason I got into electronic manufacturing.
For conference founders, manufacturing badges was big pain – which we are trying to solve with our innovation and hard work.
Q3. Are Indian organizations having good security?
- NO.
- A big No. I’ve often found that companies underestimate importance of security – not just in India but worldwide.
And they don’t understand the importance until they’re victim of attack.
I’ve heard first hand stories of how management guys totally discarded the idea of security – calling it money making scheme and nothing serious.
Hence, I think India has long way to go to be secured.
Silver lining is we’ve lot of hacking talent. Indian bug bounty hunters are topping the list of Facebook and Google – and I am sure that if Indian companies allow similar bug disclosure policies, things will start to change.
====== updated 1430 hrs Dec 06, 2016 ======
BB Professional # 02
This is the second professional to respond and as more responses are received their voices will be added to this blog. The response has not been edited and is reproduced verbatim (with typos 🙂 )and the individual is not identified for obvious reasons.
Q 1. What is your biggest hassle with Indian Companies
- As u all know that Netherlands is running private bug bounty program that if you find any bug in .nl website then they will pay you bounty or reward for that but indian government doesn’t have any this kind of policies.
Q3. Are Indian organizations having good security?
- no, indian sites doesn’t have that good secure sites because their firewalls are not enough updated! Mostly sites are hosed in indian servers which are not secure enough and top of that they dont do wapt for their site.
=================================
