Those identifying vulnerabilities, bugs or code improvement in govt’s contact-tracing app Aarogya Setu now stand to get recognised and win cash awards
New Delhi: The National Informatics Centre, a part of the Union ministry of electronics and information technology, has announced the first-ever bug-bounty programme for the government’s Aarogya Setu application.
On Tuesday, the government made the Android version of the contact-tracing app open-source, which is available here, in the hope that India’s top developers will now inspect and modify the app for any bugs or issues. NITI Aayog CEO Amitabh Kant said, “Transparency, privacy, and security have been the core design principles of Aarogya Setu. Open-sourcing of the app further highlights the Government of India’s commitment towards these principles.”
The move comes at a time when Aarogya Setu has been criticised for the handling of its users' data. As of now, the app has garnered more than 100 million users making it the fastest to reach 50 million users in just 15 days. The app, according to Kant, identifies more than 3,000 hotspots in 3-17 days ahead of time.
The Twitter handle of Aarogya Setu said that it was a call for the developer community to come together and to help make the app more robust and secure. Additionally, those who can identify any vulnerabilities, bugs, or code improvement will be awarded cash prizes as well.
Terming it as a “Bug Bounty Programme,” any flaws discovered by the researchers should be notified to email@example.com with a subject line “Security Vulnerability Report.” The improvement to its source code can also be reported to the same mail address with the subject line “Code Improvement.”
The researchers are asked to document their findings by providing steps to reproduce the same. “Reports with complete vulnerability details, including screenshots or video POC, are essential for being eligible for a reward,” stated the official release. The release further details the rules one of which being that only those vulnerability reports are to qualify for rewards that are not publically announced. It also details the scope of vulnerabilities that would be considered.