USD 3 mn: Money India’s Top 8 Super Bug Hunters brought Home in 2020

“No industry or profession has experienced an evolution quite like hacking. It started in the darkest underbelly of the internet, where hackers roamed the online world in search of vulnerabilities.” – HackerOne


According to Hacker Trends & Security in 2021, hacker activity has increased significantly in 2020 with a 57% increase in sign-ups on the HackerOne platform since March, as well as a 28% increase in reports submitted.


Whatever the outcome, Super Bug Hunters share a common goal: finding the highest impact valid bugs before a bad guy does.


We have compiled a list of eight Indian Super Bug Hunters who earned the highest bounty in 2020 and in early 2021. The objective is to give them proper recognition in our CISO and Sr. Security professional community.


DISCLAIMER: The ranking is based on the bounty earned. If you earned more than $5000 and your name is not listed there, please let us know we shall happily add your name to the DynamicCISO Super Bug Hunters list.


  1. Bhavuk Jain (@bhavukjain1) 


Finding: A zero-day in Sign in with Apple that affected third-party applications that were using it and didn’t implement their own additional security measures.  – Source: Bhavukjain.com


Bounty: $100,000



  1. Amol Baikar (@AmolBaikar) 


Finding: Facebook OAuth Framework Vulnerability, a flaw that could allow attackers to hijack the OAuth flow and steal the access tokens which they could use to take over user accounts. Source: Amolbaikar.com


Bounty: $55,000



  1. Harsh Jaiswal (@rootxharsh) & Rahul Maini (@iamnoooob)


Finding: Exposing a critical 0-day flaw in the Apple travel portal. Achieved remote code execution (RCE) by stringing together a string of vulnerabilities in order to exploit targeted domains. Source: https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md 


Bounty: $50,000


  1. Bipin Jitiya (@win3zz)


Finding: Blind SSRF and server sensitive information leakage would have allowed an attacker to learn the internal IP addresses of the network that could lead them to target systems in the internal network. Source: https://medium.com/@win3zz/how-i-made-31500-by-submitting-a-bug-to-facebook-d31bb046e204 


Bounty: $31,500


  1. Vinoth Kumar (@vinodsparrow) 


Finding: Due to an incorrect post message configuration, if someone is visiting an attacker-controlled website and clicks the “Login with Facebook” button, it would trigger XSS on the facebook.com domain on behalf of the logged-in user. This would have led to a 1-click account takeover. Source: https://vinothkumar.me/20000-facebook-dom-xss/ 


Bounty: $20,000


  1. Guhan Raja (@havocgwen)


Finding: Facebook Messenger iOS App Leaking Access Token Of Million Users to Third Party Site(GIF search engine). Source: https://medium.com/bugbountywriteup/how-i-found-the-facebook-messenger-leaking-access-token-of-million-users-8ee4b3f1e5e3 


Bounty: $16,125



  1. Lokesh Kumar (@lokeshdlk77)


Finding: A bug on Facebook that would allow attackers to remove any photo from Facebook by assigning it to your own series and removing the series. Source: https://lokeshdlk77.medium.com/delete-any-photos-in-facebook-832dbe81cdc4 


Bounty: $10,750


  1. Aseem Shrey (@AseemShrey)


Finding: Hard-coded NPM token in app.js that led to the access of private NPM registry. Source: https://medium.com/bugbountywriteup/one-token-to-leak-them-all-the-story-of-a-8000-npm-token-79b13af182a3 


Bounty: $8,000

Leave a Reply

Your email address will not be published. Required fields are marked *