This post is my perspective on how IIT Guwahati became the first educational institute in India to start its own bug bounty program, what it actually means and why you should care about it. Before you start, be warned though; you have to read until the end to make complete sense of it.
Where it all started
You need to know a little bit of my story to understand this post better. So it all began in the summer of 2015 when I finished the 2nd year of my B-Tech in CSE and was still in campus doing nothing in particular. One fine night while I was in the department lab when I started fiddling with the website of the IIT Guwahati library. At around 3AM, I somehow got the password of the MYSQL instance running on that server (The ‘how’ of it is a story for another post). Basically, I had the root access to that database, which I could connect remotely from anywhere on campus. I could do things like clear library dues, issue books etc. If I wanted to, I could even delete the entire database (They have regular backups btw)
Initially, albeit I was thrilled, thinking about the possible consequences of the whole thing was scary. I didn’t know if I would be believed me when I said, “I was just curious, damaging something was never my intention”. Suddenly questions like “What if they take some severe action against me?” started popping in my head. I was afraid, but at the same time I wanted to report the vulnerability as it could be exploited and misused by anybody else. The next day I went to the network administrators of Computer Science department. They are super chill, friendly and hard working people. I explained the scenario and asked them to somehow get me out of this mess. They were kind enough to report it to the concerned authorities without even bringing up my name. This was the beginning of everything.
The Back Story
In the summer of 2016, I was in college again, this time doing an internship in the IITG Students Web Committee (SWC). I was working on a couple of portals and got a chance to interact with the webmaster for the first time. We were working together on deploying the project and I brought up hacking. I asked him if students could report the security vulnerabilities they found. After a long discussion, he said yes. I then told him about a LFI (Local File Inclusion) vulnerability I had found in the IIT Guwahati website. He fixed it within 10 minutes and thanked me.
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/sbin/nologin
avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin
libstoragemgmt:x:998:997:daemon account for libstoragemgmt:/var/run/lsm:/sbin/nologin
5 months after I started hacking I started doing Bug Bounties. I was in Microsoft Hall Of Fame for three times after reporting around 6 vulnerabilities. This was actually helpful to prove my credibility. Since the folks at computer centre are now comfortable with me reporting vulnerabilities. I reported few more that year. Before I continue the story let me answer this one question which many people have. (I will try to be as non-technical as possible while answering)
What is a bug bounty program?
So there are black hat hackers (bad guys) and white hat hackers (ethical hackers — who hack for good). If a company or institute implements something like a bug bounty program, it means that it is giving white hat hackers the permission to try and hack their systems and report any security loopholes. Now comes the bounty part, To thank these white hat hackers, the companies, in return, offer different kinds of bounty like money, Hall Of Fame, swag etc.
My personal motivation
In January 2016, India’s Prime Minister Narendra Modi visited our campus for the inauguration of IIIT Guwahati. One of the points he talked about while addressing the students was the importance of CyberSecurity and how he wanted Indian talent who are working in this field to be on the top.
As I’d started exploring the field of information security I had already made many good friends in the hacking community, many them from India. Based on my personal experience, everything he said that day made a lot of sense. By the time he was done, I was left with some questions though.
- Why isn’t Indian government using these talented Indian Hackers?
- Even if they report something, how supportive is the government?
- How do the Cyber Security related laws work? When were they last updated?
Indian hackers are indeed helping major corporations and billion dollar companies by reporting critical security vulnerabilities in their applications. Here is a 2016 report by Facebook which states that India is the top country with respect to the number of bounties given.
Here is a 2016 report by HackerOne (Top bug bounty platform) which says :
All this and a lot of other evidence suggest that India already has good quality hackers. But are we using them?
After a lot of deliberation, I concluded that things were at the state they were because nobody took the initiative to make them better. Or even if they did at some point of time, they must have eventually gotten fed up or been bullied by the system into giving up. Now in order to change the current scenario, I had to start somewhere. IIT Guwahati was the obvious choice. During this whole time I was in constant touch with the Computer Center employees and I was sure that at least I could make a case based on many examples of the past to convince them to start a bug bounty program.
Initially, they were reluctant, probably because this was a new idea; but some of the things which supported my argument was MIT starting its own bug bounty program, me reporting vulnerabilities in a responsible way, some of the other IIT websites and some Indian govt websites getting hacked around the same time etc. Few more months of convincing them and discussing the pros and cons they finally agreed to start a bug bounty program. On April 27, 2017 the IITG community got this mail.
At that point it was not even named a Bug Bounty Program. They set up a mail email@example.com where anyone could report security vulnerabilities. It was a huge progress.
Where we are now
On 30 June, 2017 IIT Guwahati launched its bug bounty program.
That was easily one of the proudest and happiest moments of my life. This was my contribution to my college and indirectly to India. This meant that the initial phase of the plan which I had dreamed of was not a concept anymore, but very much real. Link to the website : IITGBugBounty
In just 48 hours after the program was released, we got 7 vulnerabilities: 3 of them being high priority stuff. As of today (16th July 2017) the number of reports are around 10 with one very critical vulnerability like RCE (Remote Code Execution). So in 15 days we got some really good security vulnerability reports.
According to the rules, the program is currently open to IITG Community but anybody can report a security vulnerability. Coming to the bounty part, the CC agreed to keep the person’s name who reports a valid report in a Hall Of Fame.
For now, only IITG community people can be included in the Hall Of Fame. You might think that the outsiders would have no incentive to report, right? But we did actually get some reports in which Indian hackers congratulated us for starting a Bug Bounty program, mentioning that they were not expecting anything in return and were just happy to help India in any way possible. We were surprised to find so much interest from people outside the campus that they were responsible for a majority of the reported vulnerabilities. The computer center folks were really excited about the prospect of expanding the scheme to include people from beyond the IIT-G community. How awesome is that!!
I do agree that all the people who are submitting good vulnerability reports should be acknowledged. Since this program was already a tremendous success, the computer center folks are thinking about changing the rules like making it open for all and giving some actual bounty. I’m not sure what the status is as of now, but we can hope for some cool limited edition swag or monetary rewards.
How big is this? What are its implications?
I personally think this is a really big deal because a couple of years back, the very idea that an IIT would start its own Bug Bounty program was laughable. Although this is still true for other IITs, IIT Guwahati has set a standard. The initiative taken by us would surely act as a Proof Of Concept for other IITs, govt institutions and other government organisations. In PM’s speech mentioned above, he talks about hackers stealing research. That is a valid point which justifies having something like a Bug Bounty program. So much of awesome research is being done in these institutions. Similarly, the National Critical Information Infrastructure Protection Centre (NCIIPC) should also make use of Indian talent to protect India in Cyber Security domain. Though we have CERT-IN where you can report the security vulnerabilities in Indian government websites, it hasn’t yet been popularized and the process itself is very tedious.
With this program, I hope more students start exploring the Information Security field while they are in college. know many fellow students who are interested in this field but are terrified of the consequences if people misinterpret their intentions. A bug bounty program creates a way for them to start exploring without that fear.
If by the next 2 years, even a single Indian government organisation starts some kind of responsible disclosure model, it would mean that my hard work paid off and my initial plan is a success. Now, all I can do is make sure that people understand the importance of this program and somehow the concept reaches other IITs so that they can at least start thinking along the similar lines.
There are a ton of more stuff I wanted to add in this blog but it is taking too much of space. I will write about them in detail next time maybe.
Thank you for reading. Suggestions and feedback are welcome. You can reach me out at firstname.lastname@example.org or email@example.com