
Meet the bughunters: the hackers in India protecting your data - cichli
http://www.theguardian.com/world/2016/apr/02/meet-the-bughunters-the-hackers-in-india-protecting-your-facebook-profile
======
debarshri
I think guardian didn't do their homework right. Apparently Rahul tyagi just
like Ankit fadia is considered to be a con-artist.

[https://news.ycombinator.com/item?id=4316574](https://news.ycombinator.com/item?id=4316574)

------
OJFord

        > rupee millionaire
    

I don't wish to put down Mr Prakash's achievements, but is that actually a
celebrated figure in India - or at ~£10.6k is the word 'millionaire' just a
sensationalism for our benefit?

~~~
zhte415
~£10.6k is an OK figure in India, but depends where you are and what you do.

In an international company, doing UAT type testing and investigation, it
would be about average for an assistant manager, but the variance is vast,
even between people sitting next to each other.

If that figure is per month, then he's really doing well, pulling in the same
as an SVP in an international company managing a team doing a similar role.

~~~
OJFord
Right, he's doing well but it seems odd to say to a predominantly British
audience that he's a "multi-millionaire [in rupees]", when actually the
implication of that is 'hugely successful, doesn't need to work', rather than
'successfully self-employed/running his own business'.

Congratulations and all the best to him, of course, I just think it's a
misleadingly sensationalised subtitle.

------
nxzero
Amazing that all publicly traded companies are not by law required to have bug
bounties.

Same goes for any major open source project too.

~~~
hntuesday
Nobody should have to offer bounties. Researchers should not expect to get
paid for their unsolicited work.

We probably agree that vulnerability reports should be seen as a positive
thing. What software owners should have are policies and procedures for
transparently handling vulnerability disclosures. At most, I think having some
flexible process should be required as part of a certification (PCI, etc).

I do think that knowledge of a vulnerability and lack of action to fix it in a
reasonable amount of time, which results in a breach should be treated more
seriously. At the same time, encouraging reports of breaches is hard as it is
and introducing more punishment would make everyone want to just keep quiet or
as ambiguous as possible. I'm not sure what a good solution to this would be.

~~~
cmdrfred
> Nobody should have to offer bounties. Researchers should not expect to get
> paid for their unsolicited work.

The Chinese and Russian exploit markets don't seem to care if the work was
solicited or not.

