If you catch the attention of the right people, you can make even the biggest companies change their policies.
In 2017, Zomato had been hacked, and details of 17 million users had been made available online. It had then emerged that the hack had been the work of a single hacker, who went by the name of “nclay”. But his motivations for the hack were unusual — instead of holding Zomato to ransom for millions, he simply wanted Zomato to introduce a bug-bounty program. “The hacker has been very cooperative with us. He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers,” Zomato had then said.
It turns out that Zomato did indeed put this system in place — and lots of other ethical hackers have benefited as a result.
Zomato has paid more than $100,000 (Rs. 70 lakh) to 435 hackers for finding and fixing bugs on its platform. HackerOne, which runs Zomato’s bug bounty program, said that Zomato had successfully resolved 775 vulnerabilities on its platform since instituting its program. Zomato pays $2,000 to security researchers for discovering critical bugs, $700 for bugs with high-severity impact, $300 for medium-impact bugs and $150 for low-impact vulnerabilities.
Zomato’s bug bounty program is a departure from its previous policy, when it didn’t compensate ethical hackers who pointed out bugs in its service. Until 2016, Zomato only awarded a certificate of appreciation to hackers for their efforts. “We do not currently have a monetary bug bounty programme, but any report that results in a change will at minimum receive Hall of Fame recognition. We would also be more than happy to provide a certificate of acknowledgement,” Zomato’s entry at HackerOne had said in February 2016.
That seems to have changed now, and Zomato has joined the ranks of tech companies that pay ethical hackers that discover bugs on their platforms. Major tech firms such as Google, Facebook and Uber all have lucrative bug bounty programs. Several Indian researchers have made good by pointing out bugs on these platforms — in 2016, a Flipkart employee had been paid $15,000 (Rs. 10 lakh) after he’d discovered a bug on its platform, as had an engineering student from Kerala. Figuring out bugs in the code of tech giants is something Indians seem to particularly excel at — India is the number one bug hunting nation in the world, accounting for 43 percent of all bug reports and receiving 35 percent of all bug bounties. And Zomato, with its bug bounty program, is making sure that Indian tech companies too adequately reward hackers who, instead of exploiting the vulnerabilities on its platform, choose to disclose them.