New Delhi: The National Informatics Centre, a part of the Union ministry of electronics and information technology, has announced the first-ever bug-bounty programme for the government’s Aarogya Setu application.
On Tuesday, the government made the Android version of the contact-tracing app open-source, which is available here, in the hope that India’s top developers will now inspect and modify the app for any bugs or issues. NITI Aayog CEO Amitabh Kant said, “Transparency, privacy, and security have been the core design principles of Aarogya Setu. Open-sourcing of the app further highlights the Government of India’s commitment towards these principles.”
.@SetuAarogya app, your personal bodyguard in the fight against #COVID19. #SetuMeraBodyguard
Till date #AarogyaSetu has alerted 1,40,000 people of potential #coronavirus infection: #NITIAayog CEO @amitabhk87 pic.twitter.com/KywSASIOoH
— NITI Aayog (@NITIAayog) May 26, 2020
The move comes at a time when Aarogya Setu has been criticised for the handling of its users’ data. As of now, the app has garnered more than 100 million users making it the fastest to reach 50 million users in just 15 days. The app, according to Kant, identifies more than 3,000 hotspots in 3-17 days ahead of time.
The Twitter handle of Aarogya Setu said that it was a call for the developer community to come together and to help make the app more robust and secure. Additionally, those who can identify any vulnerabilities, bugs, or code improvement will be awarded cash prizes as well.
Aarogya Setu Bug Bounty Program – call upon the developer community to join hands to help make Aarogya Setu more robust and secure. Those identifying vulnerabilities, bugs or code improvement stand to get recognized and win cash awards too.#SetuMeraBodyguard#IndiaFightsCorona pic.twitter.com/zXWd9jfdQP
— Aarogya Setu (@SetuAarogya) May 26, 2020
Terming it as a “Bug Bounty Programme,” any flaws discovered by the researchers should be notified to as-bugbounty@nic.in with a subject line “Security Vulnerability Report.” The improvement to its source code can also be reported to the same mail address with the subject line “Code Improvement.”
The researchers are asked to document their findings by providing steps to reproduce the same. “Reports with complete vulnerability details, including screenshots or video POC, are essential for being eligible for a reward,” stated the official release. The release further details the rules one of which being that only those vulnerability reports are to qualify for rewards that are not publically announced. It also details the scope of vulnerabilities that would be considered.