Live bug hunting will return to Nullcon’s flagship event next week after the success of last year’s inaugural bug bounty competition.
The three-day contest, which takes place at Nullcon Goa between 22-24 September, will see 50 ethical hackers probe for vulnerabilities and bug chains in digital assets provided by the Indian multinational telecom Airtel and AI pioneer Fractal Analytics.
The bug hunters will pursue the highest possible leaderboard position and rewards up to a maximum of INR 1 million (approximately $12,000) – an increase on last year’s ceiling of INR 800,000 (about $9,600), when Airtel alone provided the targets.
The event also follows Nullcon Berlin’s first-ever live bug bounty in March 2023. German e-commerce giant Otto was able to remediate 57 bugs in some “extremely specialised” attack vectors following the two-day competition, co-organised with crowdsourced security platform YesWeHack.
Airtel, which provides broadband, mobile network and voice services in 23 countries, returns for a second successive annual live bug bounty after 30 bug hunters surfaced “several noteworthy vulnerabilities” in Airtel assets at Nullcon Goa 2022, according to Sushil Singh, deputy general manager at the company.
“Unlike traditional security testing methods conducted by in-house teams, bug bounties bring together a global community of skilled ethical hackers and security researchers,” says Singh.
“This diversity of talent can uncover vulnerabilities that might be missed otherwise. And this proactive approach can help us discover and address security weaknesses before they are exploited maliciously.”
Fractal, which provides AI-powered services to industries such as retail, healthcare and financial services, joins Airtel for this year’s competition. “Live bug bounties offer real-world testing, diverse expertise, rapid remediation and cost-effectiveness, and promote responsible disclosure, making them an essential addition to our security strategy,” says Krishan Kumar, information security manager at the company, which was founded in Mumbai in 2000 and now has offices in seven countries.
Those are the attractions for the participating companies – but what motivates the hunters, other than the obvious financial rewards?
“One aspect that truly stands out during these events is the opportunity for socialising, not only with fellow hackers but also with the participating vendors,” says Harsh Jaiswal, who has participated in numerous on-site and virtual hacking events.
“This social interaction can have significant career-related advantages,” he continues, citing a recent event where “the participating organization was actively seeking to expand its security team” and competitors could “connect directly with the recruiting team”.
Jaiswal says the events are also “an ideal environment for networking, knowledge sharing and skill development”, while “the competitive element adds an extra layer of excitement and motivation”.
‘Skills, creativity, dedication’
While any Nullcon attendee can apply to participate, Nullcon helps clients choose high calibre hunters with appropriate skills for the targets – and this selection process creates a diverse group typical of Nullcon generally.
“Their skills, creativity, and dedication to uncovering vulnerabilities have been exceptional,” says Airtel’s Singh. “It attracts participants from various backgrounds and regions. This diversity of perspectives has brought unique insights into our security landscape, helping us identify vulnerabilities we might have otherwise overlooked.”
Jaiswal cites a $50,000 bounty from Apple shared with fellow researcher Rahul Maini and $30,000 reward from PayPal from another collaboration as particularly notable achievements.
Another bug hunter, Mohan Sri Rama Krishna Pedhapati, is particularly proud of uncovering critical RCE vulnerabilities in prominent desktop Electron applications such as Discord, Slack and Microsoft Teams. “The impact of our findings was so significant that our research was selected for presentation at conferences like Black Hat/DEF CON USA in 2022,” says Pedhapati.
Jaiswal says that “bringing hackers and the engineering team together in the same physical or virtual space” enables “direct communication and potential collaboration on identifying and resolving security issues”.
Singh agrees: “Researchers and our security team have engaged in constructive discussions, sharing knowledge and best practices,” he says. “This synergy has been invaluable.”
Jaiswal also believes that “since live hacking events are typically invitation-only affairs, organisations can establish a higher degree of transparency with participating hackers. This transparency extends to sharing internal documentation, findings, and insights, which can lead to more effective findings and faster resolution.”
There are reputational benefits from holding live hacking competitions too. Hosting bug bounties “shows that we are open to external scrutiny and committed to addressing security concerns promptly,” says Singh. “This can enhance the trust and confidence of our customers and users.”
‘Wide range of scenarios’
But in what circumstances is a live bug bounty right for an organisation?
“Live bug bounty programs can be suitable for organisations in a wide range of scenarios, especially when they require continuous assessment, external perspectives and enhanced security in dynamic and evolving environments,” says Fractal’s Kumar. “However, it’s essential for organizations to carefully consider their specific goals, assets, and security needs when deciding to implement a bug bounty program.”
If an organisation does decide to hold a live bug bounty, then Kumar believes Nullcon is a great choice of platform. “Nullcon has a stellar reputation in the cybersecurity community,” he says. “Their extensive experience in organising security conferences, including live bug bounty programs, speaks to their expertise in this domain.”
Sponsorship of Nullcon Goa by the Google Play Security Reward Program only enhances its credibility further. “Google supports community-driven conferences and engages with the bug hunter community to learn from and collaborate with security researchers and promote transparency in the security industry as a whole,” says Tony Mendez, on behalf of the Android security team.