Indian institutes pay heed when foreigners point out flaws while ignoring our researchers
Bengaluru: Indian ethical hackers are reaching out to Baptiste Robert, a French cyber researcher, to alert firms of flaws in their online assets as they fear local laws in the country does not give them protection for calling out such vulnerabilities.
Organisations such as Bharat Sanchar Nigam (BSNL), the India Post and Indian Space Research Organisation (Isro) have fixed those flaws after Baptiste Robert flagged the chinks in their online assets. Ironically, Indian online security researchers had alerted these organisations several months ago about the gaps exposing sensitive data online.
In Isro’s case, it was to one of the computers in its satellite-tracking unit, while in BSNL’s case, it was employee data from its intranet and at India Post, it was employee bank details. These organisations acted on Robert’s tweets that pointed to the flaws but had remained unattended when local researchers had flagged them.
“In most cases Indian organisations ignore our mails. Sometimes they quietly patch the flaw that is reported without any acknowledgement,” said Sai Krishna Kothapalli, a security researcher who reported flaws in BSNL’s intranet system that allowed access to official records of close to 47,000 staff 25 months ago.
Currently, India lacks laws that protect researchers who expose security flaws. “The IT act makes it quite clear that anyone who gains unauthorised access to a computer resource is guilty or liable. The crime is defined in the context of unauthorised access,” said Rahul Matthan, Partner at Trilegal, and an attorney who specialises in Technology.
Matthan, who has been assisting the government in preparing the country’s privacy law, said that it is often the case, in order to expose security vulnerabilities people may need to get unauthorised access.
“To be honest, all researchers are scared before reporting any flaws as there could be legal implications,” Kothapalli added.
Last year, another security researcher reported a loophole in a state government wallet that gave hackers access to thousands of user accounts and siphon money. It was patched after the report.
“After the flaws are fixed one can make it public. I did the same, but received warning calls from private contractors of the project not to blog about it,” said the researcher who did not want to be named.
Till India creates an enabling law to protect such researchers, experts say that the country and its organisations could build an incentive programme for ethical hackers to report vulnerabilities and fix them before it causes economic damage.
“A carefully thought out bug bounties and hall of fames are definitely the need of the hour. However, they have to be devised in a proper framework to give due respect and appreciation for security researchers,” said Burgees Cooper, Partner Information andCyber SecurityErnst & Young.
Interestingly, Indians are not bad at spotting bugs but are just wary. Indian hackers have topped bug bounty charts of Facebook, Uber, Google and others.
“The biggest groups (of ethical hackers are) coming from India and the United States,” said a report published by Hackerone.
The mechanism of reporting security flaws has not evolved yet in India. “There are people in India who are ready to report but they fear reporting. There is also a possibility they could be tipping off Baptiste (Robert),” Kothapalli said.