Search This Blog

Showing posts with label Ethical Hacker. Show all posts

Hackers made $82 Million through Bug Bounties in 2019

Hacking as a profession has now become a viable option for the hackers out there. Yes, you've heard it right, ethical hackers have made more than $82 Million in Bug Bounties held at HackerOne. To top that, the ethical hacking community on HackerOne has now reached over 600,000, with around 850 new hackers joining every day. According to a '2020 Hacker Report' published by HackerOne, a Bug Bounty platform in San Francisco, around 18% of the members are full-time hackers, whose job is to find vulnerabilities and assure that internet becomes a safe place for everyone.

On the HackerOne platform, hackers from across the world, 170 countries to be accurate, which includes India too, are working every day to ensure the cybersecurity of 1700 organizations, which include Zomato and OnePlus also. The US tops the 2109 list in the earnings made by hackers through Bug Bounty with 19%, India comes second with 10%, Russia has 8%, China a 7%, Germany 5%, and at last Canada with 4%. These countries are the top 6 highest earning ones on the list.

According to Luke Tucker, who is the Senior Director of Global Hacker Community, Hackers are a global power working for a good cause to ensure the safety the connected society on the internet. The motivations for hacking may differ, but it is good to see that global organizations are embracing this new change and providing hackers a new platform to compete and grow as a community, making the internet a safe place for everyone, all together. Hackers from various countries earned a lot more than compared to what they did last year.

Hackers from Switzerland and Austria made more than 950% earnings than last year. Similarly, hackers belonging to Singapore, China, and other Asian countries made more than 250% compared to their earnings of 2018. Competitions like these Bug Bounty programs have helped Hackers land into respectful expert knowledge, as 80% of the hackers use this experience to explore a better career or jobs. According to the reports, these hackers spent over 20 hours every week to find vulnerabilities.

Demand for teen hackers rises

Shivam Subudhi is 15 and lives in London. Three years ago, he was so inspired by the movies he was watching that featured hackers, he coded a simple port scanner revealing network doors that might let a hacker enter uninvited. "I decided to put my skills into practice for the first time," Subudhi says, "by pentesting my school network and website." Penetration testing is also known as ethical hacking and involves probing networks, systems, and sites looking for security vulnerabilities that could be exploited by an attacker. It was this activity that, unsurprisingly, brought Subudhi to the attention of the deputy headteacher. That teacher was also an IT enthusiast and introduced the budding hacker to the Cyber Discovery program; a £20 million ($24 million) U.K. government-backed scheme to teach kids how to be cybersecurity superheroes. Could your kid be next?

Teenage hackers sought by government Cyber Discovery program

Back in 2017, the U.K. government issued a tender to run a £20m Cyber Schools Programme as part of the National Cyber Security Strategy 2016-2021 created to reduce the cyber skills gap by encouraging young people to pursue a career in the profession. The SANS Institute bid for this contract was successful, having run similar programs in the U.S. and able to demonstrate the success of using a "gamified" learning model.

"SANS is by far the largest and most trusted provider of cybersecurity training in the world," James Lyne, CTO at the SANS Institute says, "so we have a wealth of experience, training content and expert instructors." In the first year the Cyber Discovery program saw some 23,000 youngsters from the U.K. aged between 14 and 18 taking part in the initial assessment phase, and around 12,000 qualifying to participate in the primary learning phases, "CyberStart Game" and "CyberStart Essentials." The following year, 29,000 took part and 14,000 qualified. Registration for the third year of Cyber Discovery is now open and Lyne anticipates a significant increase in participation, not least as the entry age has now dropped to 13.

Hack an iPhone, win $ 1 million

Apple has massively increased the amount it’s offering hackers for finding vulnerabilities in iPhones and Macs, up to $1 million. It’s by far the highest bug bounty on offer from any major tech company.

That’s up from $200,000, and in the fall the program will be open to all researchers. Previously only those on the company’s invite-only bug bounty program were eligible to receive rewards.

As Forbes reported on Monday, Apple is also launching a Mac bug bounty, which was confirmed Thursday, but it's also extending it to watchOS and its Apple TV operating system. The announcements came in Las Vegas at the Black Hat conference, where Apple’s head of security engineering Ivan Krstić gave a talk on iOS and macOS security.

Forbes also revealed on Monday that Apple was to give bug bounty participants “developer devices”—iPhones that let hackers dive further into iOS. They can, for instance, pause the processor to look at what’s happening with data in memory. Krstić confirmed the iOS Security Research Device program would be by application only. It will arrive next year.

$1 million for an iPhone hack

The full $1 million will go to researchers who can find a hack of the kernel—the core of iOS—with zero clicks required by the iPhone owner. Another $500,000 will be given to those who can find a “network attack requiring no user interaction.” There’s also a 50% bonus for hackers who can find weaknesses in software before it's released.

Apple is increasing those rewards in the face of an increasingly profitable private market where hackers sell the same information to governments for vast sums.

As Maor Shwartz told Forbes, the cost of a single exploit (a program that uses vulnerabilities typically to take control of a computer or phone) can fetch as much as $1.5 millon. An exploit targeting WhatsApp where no clicks are required from the user, for instance, can be sold to a government agency for that much, though such tools are rare. Only one or two a year will be sold, from a pool of around 400 researchers who focus on such high-end hacking. “It’s really hard to research them and produce a working exploit,” he said.

XSS in Photobucket fixed

Recently a 15 year old tech blogger and security researcher named Indrajeet bhuyan found and helped fix a XSS vulnerability in Photobucket.

He had previously found vulnerabilities in Samsung, Disqus, NDTV, Jabong, IIT Bombay and many others. 

Editor's Note: It is good to see that such young hackers are acting responsibly and reporting vulnerabilities instead of simply defacing the site or using the vulnerabilities for malicious motives.I hope that Mr.Indrajeet bhuyan continues this.

Self Proclaimed Ethical Hacker Trishneet Arora website hacked by Team Cyber-Rog

Last night, Self Proclaimed Ethical Hacker Trishneet Arora official website( has breached and defaced by the hacker group called "Team Cyber-Rog ".

Trishneet is the author of a book "The Hacking Era". And claims himself to be awarded as India's best ethical hacker, Punjab's No.1 Cyber Crime Consultant and World's 2nd Youngest Author of Ethical Hacking Books.Trishneet has been known on the internet as founder of TAC Security Solutions, a cyber security company.

As far as Wikipedia is concerned they deleted his own made page ( 3 times in the past for the following reasons:

"12:29, 20 October 2012 Bwilkins (talk | contribs) deleted page Trishneet Arora (G4: Recreation of a page that was deleted per a deletion discussion (CSDH))
18:01, 18 October 2012 MBisanz (talk | contribs) deleted page Trishneet Arora (Wikipedia:Articles for deletion/Trishneet Arora)
13:13, 2 September 2012 Boing! said Zebedee (talk | contribs) deleted page Trishneet Arora (G11: Unambiguous advertising or promotion)"

After Numerous restore tries by him , the deface page is still up ,Exposing his true face.  Trishneet as claimed by hackers conducts so called ethical hacking workshops around the country.  A lot of people have informed us that this guy has absolute 0 knowledge in this field and yet goes around acting as a "professional it security expert". All his websites are under free hosting and last night another one of his domain was hacked .

"You have dissapointed us, we will continue to own and expose people like Trishneet . Learn to secure yourself before you teach others . Trishneet ,stop making fake account of girls and and conducting fake workshops for money/profit. We are watching you ,Expect Us!" the message from the Cyber-Rog team. "oh and good luck with your book sales now :P"

The defaced page:

We come to know about this hack when a security researcher Vedachala reported a XSS security flaw in the Trishneet website.

The POC code provided by Vedachala for the Reflected XSS:';alert(String.fromCharCode(80,79,79,82,32,78,48,111,98,44,40,86,51,68,64,67,72,52,76,65,32,72,51,114,101,41,46,32,83,51,99,117,114,101,32,121,111,117,114,32,97,36,36,32,102,105,114,115,116,46,46))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(80,79,79,82,32,78,48,111,98,44,40,86,51,68,64,67,72,52,76,65,32,72,51,114,101,41,46,32,83,51,99,117,114,101,32,121,111,117,114,32,97,36,36,32,102,105,114,115,116,46,46))//";alert(String.fromCharCode(80,79,79,82,32,78,48,111,98,44,40,86,51,68,64,67,72,52,76,65,32,72,51,114,101,41,46,32,83,51,99,117,114,101,32,121,111,117,114,32,97,36,36,32,102,105,114,115,116,46,46))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(80,79,79,82,32,78,48,111,98,44,86,51,68,64,67,72,52,76,65,32,72,51,114,101,46,32,83,51,99,117,114,101,32,121,111,117,32,97,36,36,32,102,105,114,115,116,46,46))</SCRIPT>

*Note: This is guest post submitted by one of the Reader.

List of Bug Bounty program for PenTesters and Ethical Hackers

"The Best way to improve Network security is hiring hackers" Unfortunately, companies can't hire all best hackers.  So the companies has chosen another best way to improve their system security, "Bug Bounty Programs".

Bug Bounty program is the place where Security researchers and Ethical hackers love to find vulnerabilities in target website or app and get rewarded for their findings.

Here is the list of Bug bounty programs that offers reward for security researchers who find vulnerabilities.

If you find vulnerability in google , you will get reward as well as your name will be listed in the Google Hall of fame page.

Details about Vulnerability Reward Program:

Hall of fame:

The following table outlines the usual rewards for the anticipated classes of bugs:
Vulnerability type Other highly sensitive services [1] Normal Google applications Non-integrated acquisitions and other lower priority sites [2]
Remote code execution $20,000 $20,000 $20,000 $5,000
SQL injection or equivalent $10,000 $10,000 $10,000 $5,000
Significant authentication bypass or information leak $10,000 $5,000 $1,337 $500
Typical XSS $3,133.7 $1,337 $500 $100
XSRF, XSSI and other common web flaws $500 - $3,133.7
(depending on impact)
$500 - $1,337
(depending on impact)
$500 $100

Security Bug Bounty from facebook:
Minimum reward is $500 USD.
The reward will be increased for severe or creative bugs
Only 1 bounty per security bug will be awarded

Mozilla Bug Bounty program:

The Mozilla Security Bug Bounty Program is designed to encourage security research in Mozilla software and to reward those who help us create the safest Internet clients in existence.

The bounty for valid web applications or services related security bugs, the are giving a range starting at $500 (US) for high severity and, in some cases, may pay up to $3000 (US) for extraordinary or critical vulnerabilities. they will also include a Mozilla T-shirt.

Paypal Bug Bounty Program For Professional Researchers

Secunia Vulnerability Coordination Reward Program (SVCRP)
SVCRP – a reward program incentive offered by Secunia to researchers who have discovered a vulnerability and would like a third party to confirm their findings and handle the coordination process with the vendor on their behalf:

Etsy :
Will pay a minimum of $500 for qualifying vulnerabilities, subject to a few conditions and with qualification determined by the Etsy Security Team.

Barracuda Networks

Companies that mentions researcher name in the site but won't give bounties.

Adobe Systems Incorporated:
Details :
Security Acknowledgments :









37 Signals


Constant Contact

Engine Yard








Nokia Siemens Networks

Yandex Bug Bounty:

List of Ethical Hacker Conferences & computer security conferences

Security and Hacker conferences

The best way to learn new things and get into the InfoSec world is attending Security and Hacker Conferences.  You can meet lot of security Experts and Black Hat hackers.

Here is a list of International IT Security and Hacker conferences with a short description about the conference.

DEFCON Hacking Conference:

DEF CON, one of the worlds largest and longest running hacking conferences, celebrates it's 20th year with an energetic and appropriately themed compilation, entitled "XX". Founder and head of the conference Jeff Moss, also known as Dark Tangent, tasked DEF CON "goon" and Muti Music artist Great Scott with curating the talent filled track selections; acknowledging that music can be pure hacker fuel.

*EHN is official media partner of DefCon India

Black Hat hacker conference::

The Black Hat Briefings are a series of highly technical information security conferences that bring together thought leaders from all facets of the infosec world - from the corporate and government sectors to academic and even underground researchers. The environment is strictly vendor-neutral and focused on the sharing of practical insights and timely, actionable knowledge. Black Hat remains the best and biggest event of its kind, unique in its ability to define tomorrow's information security landscape.

Nullcon :

The nullcon conference is a unique platform for security companies/evangelists to showcase their research and technology. Nullcon hosts Prototype, Exhibition, Trainings, Free Workshops, null Job Fair at the conference. It is an integrated and structured platform which caters to the needs of IT Security industry at large in a comprehensive way.

*E Hacking News(EHN) is official media partner of Nullcon


ClubHack is a NOT-FOR-PROFIT initiative to bring security awareness in common people who use computers and internet in their daily life. It’s a member driven open community to make cyber security a common sense. The phenomenal growth of the Internet economy has led to a sharp increase in computer crimes and hacking incidents. ClubHack aims at making technology users aware of the risks associated with cyber transactions as well as the security measures.

*E Hacking News(EHN) is official media partner of ClubHack

C0C0N :

c0c0n, previously known as Cyber Safe, is an annual event conducted as part of the International Information Security Day.

c0c0n is aimed at providing a platform to discuss, showcase, educate, understand and spread awareness on the latest trends in information, cyber and hi-tech crimes. It also aims to provide a hand-shaking platform for various corporate, government organizations including the various investigation agencies, academia, research organizations and other industry leaders and players for better co-ordination in making the cyber world a better and safe place to be. It will also serve as a platform to devise strategies to prevent cyber crimes against women.

X.25 Ethical Hacking Conference :

X.25 Ethical Hacking Conferences is performed every year in Mexico and one of the busiest in terms of computer security issues.

*E Hacking News(EHN) is official media partner of ClubHack


Intelligence-Sec is a fully integrated Conferences and Exhibitions Company managing and producing topical events for the security industry. All our global events are well researched and discussed with industry experts. Intelligence-Sec's main objective is to ensure that all attendees gain the best value for money when they participate in one of our events.

Hackers Halted

The Hacker Halted APAC event annually gathers around 500 individuals; this consists of everyone, from ethical hackers to key C-level executives from corporates, government bodies and solution seekers.

The event is aimed at providing the opportunity to CEOs, COOs, CIOs, CFOs, Senior IT Professionals and all other decision makers to assess the best practices in acquiring, implementing, managing and measuring information security.

OWASP AppSec Conference

OWASP AppSec conferences bring together industry, government, security researchers, and practitioners to discuss the state of the art in application security. This series was launched in the United States in 2004 and Europe in 2005. Global AppSec conferences are held annually in North America, Latin America, Europe, and Asia Pacific. Additionally, regional events are held in locations such as Brazil, China, India, Ireland, Israel, and Washington D.C. Presentations and videos are generally posted several months after each conference.


Infosecurity World is an annual exhibition and conference dedicated to Asia Pacific information security marketplace. The event showcases latest innovation, products and services from established to emerging brands.


ShmooCon is an annual east coast hacker convention hell-bent on offering three days of an interesting atmosphere for demonstrating technology exploitation, inventive software and hardware solutions, and open discussions of critical infosec issues. The first day is a single track of speed talks called One Track Mind. The next two days bring three tracks: Build It, Belay It and Bring It On.


Asia’s largest network security conference held annually in Kuala Lumpur, Malaysia and more recently the Middle East.


Not quite sure what hacker cons are really about? Do you like building and creating stuff? Are you tired of infosec focused conferences? Do you want to have fun while actively learning about cool stuff and meeting awesome people? NOTACON is the conference for you! No degree in computer science, nor job in IT is required to have a great time at Notacon. In fact, we believe some of the best hacks occur in areas outside of technology altogether.


CONFidence is an annual IT security conference that will take place on 23-24th May, 2012 in Krakow, Poland for the 10th time! The best speakers, latest issues, laid-back atmosphere and Krakow crazy night life – that is why CONFidence has become a meeting point of hackers’ community in Europe.


BruCON is an annual security and hacker(*) conference providing two days of an interesting atmosphere for open discussions of critical infosec issues, privacy, information technology and its cultural/technical implications on society. Organized in Belgium, BruCON offers a high quality line up of speakers, security challenges and interesting workshops. BruCON is a conference by and for the security and hacker(*) community.


MALCON is a premier international technology security conference focusing exclusively on proactive malware research and analysis. MalCon is a part of Information Sharing and Analysis Center, in support with the Government of India.


AthCon is an annual, European two-day conference targeting particular areas of information security. It’s aim: to bring leading information security experts together. Attacking techniques of exploitation and various forms of penetration testing have become an important component of any organisation. This conference aims to provide a venue for understanding the ever evolving changes as well as new threats.

DerbyCon :

This is the place where security professionals from all over the world come to hang out. DerbyCon 3.0 will be held September 25-29th, 2013. DerbyCon 2012 pulled in over 1,100 people with an amazing speaker lineup and a family-like feel. We’ve listened to your feedback and plan on making this conference even better. Our goal is to keep it around the same size and maintain a close-knit conference where we all come together to learn and share ideas


Electronic Knock Out Party - Security Conference, is the annual computer security, for its unique features and its particular style, has become a benchmark for all of Latin America.


GrrCON is an information security and hacking conference being held in the Midwest. This conference was put together to provide the Midwest regional information security community with a venue to come together and share ideas, information, solutions, forge relationships, and most importantly engage with like minded people in a fun atmosphere. Whether you are a Fortune 500 executive, security researcher, security industry professional, student, or a hacker of “flexible” morals you will find something for you at GrrCON.

T2 Infosec conference

t2 was born at a time when there was a need for a conference that was “from hacker to hacker” when there was not one single independent, technically oriented, information security conference in Finland in existence.

The mission of t2 has remained the same from its commencement, to be an annual conference dedicated to those who are interested in the technical aspects of information security. t2 offers the opportunity to publish new research and ideas as well as networking, the latter an elemental part of its ideology.


DefCamp is a national initiative dedicated to developing the skills of the young passionate by computer security, by creating a stimulating offline environment which allows offline and online exchange of knowledge between underground security specialists, academic and corporate entities in Romania. DefCamp is focusing on presenting technical information related to the security and insecurity of both virtual and real environment.

The idea of DefCamp came out in March 2011, after some informal discussions between more computer security addicts from Romania, passionate about various INFOSEC topics

Root CON
ROOTCON is an annual Hacker Conference and Information Security gathering held in the Philippines and was founded by Dax Labrador a.k.a semprix.  The conferences aims to share best practices and technologies through talks by qualified speakers and demos of exciting stuff (hacks, tools, tips, disclosures, cyber warfare, cyber espionage, etc). ROOTCON is open to everyone and that previous participants have included InfoSec personnel, developers, programmers, engineers, hackers, businessmen, students, lawyers, feds, and the like.

ACSAC(Annual Computer Security Applications Conference):

ACSAC has a tradition of bringing together security professionals from academia, government and industry who are interested in applied security. It is an internationally recognized forum where practitioners, researchers, and developers in information system security meet to learn and to exchange practical ideas and experiences. Started in 1984, the conference has grown over the years to achieve worldwide attendance and recognition for the high quality of its presentations, discussions, and interactions.

Blue Hat Microsoft Hacker Conference:

An event that is intended to open communication between Microsoft engineers and hackers is called Blue Hat Microsoft Hacker Conference. The event has led to both mutual understanding as well as the occasional confrontation.


The DeepSec IDSC is an annual European two-day in-depth conference on computer, network, and application security.


CarolinaCon is an annual conference in North Carolina that is dedicated to sharing knowledge about technology, security and information rights. CarolinaCon also serves to enhance the local and international awareness of current technology related issues and developments. CarolinaCon also strives to mix in enough entertainment and side contests/challenges to make for a truly fun event.


GreHack is a non profit Security Conference (during day) and an Ethical Hacking Contest - aka CTF - (during night). is an open convention/conference where people can discuss about computer security, privacy, information technology and its cultural/technical implication on society.

The world's most advanced conference focusing on applied digital security, is about bringing the industry luminaries together in a relaxed environment which promotes collaboration and social networking

RSA Conference

RSA Conference is helping drive the information security agenda worldwide with annual industry events in the U.S., Europe and Asia.

SOURCE Conference:
SOURCE is a computer security conference in Boston, Seattle, and Barcelona that offers education in both the business and technical aspects of the security industry.

TROOPERS IT Security Conference:
Annual international IT Security event with workshops held in Heidelberg

The HackMiami Conference

The HackMiami Hackers Conference seeks to bring together the brightest minds within the information security industry and the digital underground.

If you think we have missed a great one, feel free to contact me with details .