Among the major impact of the Covid-19 pandemic is job loss, globally. Sure enough, new job opportunities were hard to find. While people were looking for easier, faster ways to make money, those who were busy and occupied in the pre-pandemic life also found the time to learn new skills and explore the internet. And, like an answer to both the demands, Nepali youth found a way out in bug bounty hunting. It, however, has raised the eyebrows of cybersecurity experts.
Niva Shah, a medical student at the Janaki Medical College, was usually pretty occupied with her reading and exams before the Covid-19 pandemic. However, she got an ample amount of time at her disposal when the second lockdown was imposed, post the Covid-19 second wave in Nepal. “One day, my brother [Nikesh] started telling me about bug bounties. When he was explaining, the concept seemed very interesting to me,” Shah shares, “So in that spare time, as my exams were over by then, I started learning about bug bounties, surfed YouTube and learned how to report the bugs.” Some two-and-a-half months later, Shah bagged the bounty and earned USD 1,000 from Facebook, in a week after she reported the bug.
Shah is among the many youths who were inspired to get into bug bounty hunting during the lockdown. In fact, the already increasing tilt towards the lucrative award system got a boost after Routine of Nepal Banda, a popular Facebook page among Nepalis, started posting frequent appreciation posts for the same.
The oldest appreciation post public on the social media page was of October last year with a post about Prava Basnet, who won USD 3,000 from Facebook and also was quoted to be the ‘first Nepali female’ to be listed on Facebook’s white hat thanks page (2020). To date, the RONB page has posted 15 public posts. Given the impact the page has on Nepali youth, such posts have encouraged many youngsters to earn easily, from the comfort of their homes.
While the stakeholders still do wish that Nepali cyberspace thrives, security researchers and cybersecurity experts, however, have expressed their disappointment on the blind, herd-like mentality that has been growing among the youth.
Why the objection?
“It is good news that the youth are inspired to be active in the field by the success stories posted online. But, what is not good is that they are getting into this field for monetary gain and not for ethical reasons,” expresses Nirmal Dahal, the head of security at Cryptogen Nepal, a cybersecurity company.
Rikesh Baniya, a cybersecurity enthusiast, also says that the youth are getting the wrong idea about what bug bounty really is, which lacks the knowledge about cybersecurity.
Dahal and Baniya both add that neither cybersecurity nor hacking is an easy job. But after seeing the frequency of such appreciation posts on pages like the RONB, people start having high expectations and think hacking and bug bounty are easy feats.
Baniya explains, “It takes time for people to learn about bug bounty hunting. An individual needs about six months to learn well about bug bounty. However, during the times like lockdown, when one has free time, one can even do it in about two to three months. But just based on the success stories, people expect the result almost instantaneously. On the contrary, when the results take time, when there are trials and errors, people start feeling depressed and they start doubting their own capabilities, inviting more troubles.”
Shah adds her experience here, saying, “I tried four times prior as well. But, Facebook responded to my claims as duplicate or non-applicable etc. The one I claimed also required some back and forth with the Facebook team to confirm. That is a hassle for sure.”
Baniya himself started active bug bounty hunting in 2019 and is currently ranked fourth on Facebook’s 2021 thanks page. “My first bounty was 150 AUD. That happened after months of learning the whole process on the internet. My aim was to learn the ways, deepen my knowledge and earn some pocket money in the process,” he explains, “So at most, I used to claim about USD 50 to 100 on a monthly basis, that was my plan and it was enough. But later, I started detecting and reporting more bugs with higher impact too and earned more from that.”
Dahal says people’s limited knowledge about bug bounty hunting has been a problem in Nepal. “The appreciation posts on the RONB are not the only kind of bounty hunting one can do. The platform is vast and internationally practised. But, the said posts are almost limited to Facebook bounty claims. Hence, people need to research more and make informed decisions.”
He further explains, “Almost half the posts have people who have claimed USD 500 as bounty. This is a good thing, of course. But, the amount is the lowest that Facebook has set. As Facebook has high stakes when it comes to privacy, it considers the smallest of errors too and awards those who report. So those who have claimed USD 500, maybe once or twice, from Facebook, I would say, are not necessarily ethical hackers or cybersecurity enthusiasts. Meaning, they do not have long-term careers in this field.”
Shah explains her bounty claim, “I was using Facebook Lite, where I logged in but chose the option to not save the password. But, I realised that the app was storing my password regardless of that. I reported this bug or error, and it got accepted.” However, Shah, who sees her career in the medical field, expresses that she will continue to learn more about the field and continue reporting whatever she can.
Baniya adds that there have been cases of false acceptance from Facebook, and for him, this factor further weakens the genuineness of appreciation for the reported bugs.
Need for accountability
Shedding light on one more aspect of this trend, Dahal and Baniya say there is a need for pages, news media and even the individuals to be accountable and responsible.
Dahal says, “In these recent times, there have been a few fake cases. People have doctored the screenshots and claimed to have been awarded, simply to be featured on popular media platforms. Whereas there have been some errors of judgment from their sides as well, social media pages, as well as media outlets, were seen reposting the said bounty claims from individuals, without any fact-checking.”
“Responsibly, they have removed their posts, once they realised the previous claims were fake. But, there needs to be more accountability from popular media platforms, and prioritisation regarding who to feature and for what reasons,” he adds.
On this, a RONB founder and admin Victor Paudel admits the error. “We started posting appreciation posts when people in our own circle reported many incidents of people…
Read More:Bug bounty hunting is growing, but experts suggest caveats