THIRUVANANTHAPURAM: Young IT professionals and self-taught coders are finding an exciting way to earn money, by hacking. But not the illegal kind. These are ethical hackers and they are getting paid by some of the world’s biggest tech giants for it.
The world of bug bounty hunting is where individuals hunt for security loopholes in websites, apps or even cars and report them responsibly. They often earn in thousands or lakhs as rewards. Global companies like Google, Meta, Apple, and AI firms like Anthropic and OpenAI run bug bounty programmes through platforms like HackerOne, Bugcrowd, and Mozilla’s Odin. For many, it is a thrilling side hustle. For some, it has become a full-time career. Take Mohammed Shine, a cybersecurity expert from Thiruvananthapuram, who now specialises in the automotive sector. He found a serious security flaw in a Honda City, through his friend’s car.
“There was a server leak. If someone had the owner’s mobile number, they could get the OTP and control the car remotely,” Shine explained. He reported the issue. Shine, who is also the Kerala chapter lead of ASRG (Automotive Security Research Group), said this kind of reporting is part of what is known as responsible disclosure. That means there is no reward, but the information is shared for the safety of users as a public service.
He has earned recognition too. Toyota and Maruti have both assigned CVE (Common Vulnerabilities and Exposures) IDs to Shine for spotting a critical bug that gave unauthorised rootshell access -- a level of control only the car owner should have. “I used to do bug bounty full-time. Now I focus on the automotive domain,” he said.
Bug bounty is not limited to websites and apps anymore. A new frontier is AI security to make sure AI systems don’t go rogue. Vishnuraj, from Mattannur, is on the frontlines of this. He works in Berlin with Schwarz Corporate Solutions as an AI red teamer -- a role where experts try to break AI systems to expose vulnerabilities before hackers do.
His work has helped identify 10 security flaws in systems like Anthropic’s Claude, Google’s Bard, OpenAI’s ChatGPT, and Gemini. Through this, he has earned over 12,000 Euros.
“I use Odin, a Mozilla-run bug bounty platform made just for AI systems,” said Vishnuraj. “An AI programme should not be biased. It shouldn’t hallucinate or make things up, especially in sensitive areas like medicine. There have been instances of AI deleting entire databases of a company without any command. This can happen in the future if not fixed.”
One of the biggest issues he found was ChatGPT’s large language model (LLM) could be tricked into helping with harmful tasks. “It wouldn’t directly tell you how to make a bomb, but with carefully worded questions, you could get the information. I reported it, it was fixed, and I was rewarded,” Vishnuraj explained.
Jineesh A K, originally from Malappuram and now a principal consultant at Mercedes Benz R&D India in Bengaluru, has made his mark on HackerOne. So far, he has found 53 vulnerabilities and received 30 acknowledgments from the companies involved.
One of his findings came while testing a web application. A kind of bug that could bring down entire systems if misused. “I uncovered a serious Remote Code Execution (RCE) flaw. By chaining directory traversal with a sneaky CSV parsing trick, I could overwrite a critical file and run any code on the server,” said Jineesh.
Hemanth Joseph, a security engineer, says India still lags behind in data protection laws. But academic institutions are catching up. “Universities like KTU have included cybersecurity in their curriculum. Bug bounties can be a great way to learn and even land good jobs,” he said.