“The bank suspected I was laundering money when I received the large cash sum through SWIFT Money Transfer,” says Pokharel. “It was only once I reached out to Facebook and they wrote a letter verifying the source of funds that I could claim the money.”
Inspired by Pokharel’s bounties, management student 24-year-old Prabha Basnet, has also decided to become a bug hunter.
“Initially, I had many reports rejected, but then two bugs I reported were accepted together, and I earned $3,000,” she says. “This motivated me to report bugs in Instagram and Facebook stories clashing, and potentially revealing sensitive information about users.”
Aside from the monetary rewards, bug hunting has also changed the landscape of cybersecurity. Increased vigilance from a growing army of spotters means potential bugs causing privacy or security breaches can be caught before they cause major damage.
Nepal’s patchy cybersecurity state is particularly boosted by this external research boom, as thousands of government sites often go down for hours. Private sites like Foodmandu, Vianet and Prabhu Bank were also recently hacked. In response, some young Nepali bug hunters have developed a local bounty reward program to find breaches and fight hackers.
Bug hunting and ethical hacking can also be a firewall against ‘black hat’ illegal hacking. Earlier, hackers with malicious intent would steal, leak or sell data obtained via bugs, explains Pokharel.
“Black hat hackers would undermine the work of white hat researchers,” he says. “But with bug – hunting, even those previously black hat work have switched to just as lucrative legal white hacking.”
Bug-hunting has its natural downside. The monetary rewards mean it sometimes becomes a competitive cyber-stampede, placing considerable strain on the mental health of researchers. The desire to earn more pushes some bug-hunters to their limits, often with undesirable consequences.
Santosh Bhandari was an accomplished bug-hunter, featuring regularly on Facebook’s list of External Security Researchers and even finishing 15th out of 404 worldwide participants in a live hacking tournament organised by Google and Facebook.
However, he switched tracks and pursued other cybersecurity activities after suffering mental trauma from the competition and stress. He says: “Bug bounty and mental health are connected. You compile a bug report with so much of your effort and your time and wait so many days for a reply. If the report is accepted, it is all good, but if not your hard work and time are completely wasted and that can disturb you.”
Prakash Pant from Chitwan has also featured on Facebook’s list, after finding three bugs at once on Facebook in February. Before that, however, he had more than 50 reports rejected as ‘duplicates’ or ‘informatives’.
Prabha Basnet also reports suffering anxiety after her painstakingly written reports were rejected in the past. She says, “I had 15-16 reports rejected when I started, pushing me to the verge of quitting.”
Bijay Limbu also warns that the competitive nature of bug-hunting may make youngsters money minded, and some are tempted to demand ransom for bugs they have uncovered. In any case, arbitrarily searching websites and apps for bugs without company invitation could spell legal trouble.
Translated by Kaustubh Dhital from the Nepali original in Himal Khabar.