Introducing Bug Bounty HQ India

At the launch of Digital India Week, Prime Minister Narendra Modi stated “I dream of a digital India where cyber security becomes an integral part of our national security.  The world is so worried about cyber security.  One click can change a lot of things”.



Introducing BugBountyHQ.IN, a separate standalone, chained Bug Bounty Platform.  BugBountyHQ.in exists to aid Prime Ministers Narendra Modi’s dream by helping to forge working partnerships between companies and the security researcher community.  BugBountyHQ.in is your new tool to assist in defending your digital assets and ensure you, your company and brand do not become a victim of Section 43A via IT Amendment Act 2008




“Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, not exceeding five crore rupees, to the person so affected. (Change vide ITAA 2008)  This figure can be quite substantial when you multiple your database records against this number.”




"reasonable security practices and procedures means security practices and procedures designed to protect such information from unauthorized access, damage, use, modification, disclosure or impairment” – A bug bounty is a perfect tool to measure your existing security practices and in house procedures for handling vulnerability submissions.  When compared to a traditional security audit, a bug bounty is a far more efficient and cost effective tool.  Why?  A traditional audit is limited to usually a couple of researchers for X amount of time.  Based on this, the available skill sets of the testing being performed is also limited to the consultants providing your audit.  Regardless of the results at the end of the engagement, the invoice remains the same.  A bug bounty brings literally hundreds of unique skill sets and you are only paying for valid security issues.  If no issues are discovered, you pay nothing.



Not every economy is the same, and in recognition of this, a new platform was specifically built for India.  BugBountyHQ.COM works on the basis of a $50.00 minimum award and BugBountyHQ.IN works on the basis of a minimum award of Rs500



 



Why BugBountyHQ.IN - Two excellent reasons



India has the most successful bug hunter community.  This is demonstrated through Facebooks own bug bounty program having paid over $3 million since 2011 to security researchers who report bugs on its website, with India topping the tally with the largest number of valid threats reported.  India, which has over 112 million Facebook users, cornered an average reward of $1,343 (about Rs. 84,000) For 2015, “India contributed the largest number of valid bugs again this year at 196, with an average reward of $1,343,” Facebook said in a post.



There are 2.75 million developers in India, making it the second-largest country (after the U.S.) in that regard.  It is also expected that the Indian developer population will soar by 90% to 5.2 million in the next three years. India has been home to many large outsourcing and custom development shops for a decade or more.



 



What Exactly Does “Chained Platform” Mean.



Consider a scenario.  A security researcher is positioned in 9th place on a bug bounty platform and a new bug bounty is offered by a company hosting their own program.  The researcher decides to spend a week of their time looking for security vulnerabilities on this program.  During this time, the researchers in positions 13th and 18th find some issues in programs being ran on the platform.  Their findings now move them into 6th and 7th pushing the security researcher now out of the top ten into 11th.



When you register on .COM you are assigned a Unique User ID which can be found within your profile settings.  On Independent Platforms and .IN, UUID’s are not assigned.   Within your profile settings, you can enter your UUID allocated from .COM   This UUID serves to track researcher awards, points and testimonials across independent platforms (which also includes .IN).  All the points and awards allocated to a researcher on .IN or Independent Platforms are added to their .COM totals and announced through the RTU (Real Time Update).  Using this method allows researchers to freely participate in other bounties and ensure all their efforts are reflected on a central leader board.



 



On BugBountyHQ.COM





 



On BugBountyHQ.IN





Points System on .IN platform



The points system works on the Indian Platform in the same way it does on BugBountyHQ.COM and maintains its own leaderboard.  However through the chained mechanism, financial award points are converted much like a currency to ensure the global leader board remains consistent and fair.  Currently this is set at, Rs1000 = 1 Point.  All fractions remain in the database until they become a whole and are then sent across via your UUID to reflect on the Global Leader board on BugBountyHQ.COM.



 



Contact



If your a company based within India, contact Bug Bounty HQ for more information about the various programs available and the benefits of running a bug bounty.