Talent hits a target no one else can hit; Genius hits a target no one else can see.” Arthur Schopenhauer’s quote suits right on Kanishk Sajnani, an Ahmedabad-based ethical hacker, who hacks into Indian companies on a regular basis- only to help them by disclosing critical bugs before someone else exploits.
Techie Scoops caught up with Kanishk for a chat exclusively. Here are edited excerpts from the conversation.
How did you get started with technology? What nurtured your first/early experiences with computers?
Kanishk: I was always interested in Tech products as a kid. If I had no idea how something worked, I would go for the old & gold ‘Trial & Error’ method. On the very first day of my college, I opened up my personal laptop to each little piece possible.
How did that then turn into an interest in hacking and looking for security vulnerabilities? You mentioned reading about hackers and rewards, so was it the challenge or the money?
Kanishk: None. It was actually the curiosity. I was excited to see how someone can have the upper hand on a very well developed application.
It seems like you go to great lengths and spend a lot of time to alert any company. How much effort should one put in before going public with the findings?
Kanishk: Ethical Hackers have a social responsibility to make people aware of vulnerabilities with a high impact. One can choose to go public if the company fails to provide patches, despite ample warnings & time provided. Hiding such problems can cause a feeling of false security.
Do you ever find it amusing that it’s easy to find the security issues but difficult to find contact information for a person to alert?
Kanishk: Yes. I find it amusing & surprising. Some senior official from the IT/ Security team should always be approachable by the public.
Do you ever ask for bounties or rewards? Or do you wait for a company to offer them to you?
Kanishk: I never ask for that myself, although I always expect some gratitude (paid or otherwise).
For someone like you, who trained on your own, how easy is it for hackers to find vulnerabilities?
Kanishk: Once you understand how an exploit works, it’s pretty much simple.
You say that the only way Indian Companies understand importance of security right now “through public humiliation.” What kind of process would make it easier for people who find vulnerabilities?
Kanishk: It would be a lot easier if companies have their own Bug Bounty Programmes or at least a Responsible disclosure policy. If such an administrative burden is not bearable, one can always turn to crowd-sourced vulnerability platforms.
What are your future plans? How do you plan on solving the aforementioned issues?
Kanishk: Right now, I’m doing some security research & upgrading my skills in the InfoSec domain. My upcoming blogs will hopefully make some positive impact on the Industry. Also, some market research for a potential product may be in the timeline.
Article By Saurabh Sharma