The bug bounty program is open for anybody and everybody, including researchers and Aarogya Setu users, until June 26, 2020.
The Government will pay you up to Rs 4 lakh in cash for finding bugs in Aarogya Setu or suggest improvements to make India’s indigenous COVID-19 tracking app even better as part of its bug bounty program. The bug bounty program is open for anybody and everybody, including researchers and Aarogya Setu users, until June 26, 2020.
“Everyone, including researchers and users of Aarogya Setu, are encouraged to report any vulnerability impacting the privacy and information security posture of Aarogya Setu application,” the Government notes in the program’s terms and conditions.
Researchers and cybersecurity experts (as well as anybody with the technical know-how) can now audit the Aarogya Setu app at their full discretion, because the Government of India has put up the entire source code of the Aarogya Setu app for Android on GitHub, or in simple words, it has made Aarogya Setu app open source. Source code for iOS and KaiOS (for JioPhone) as well as server side of things will also be available for all in the coming days, in a big win for privacy advocates.
— MyGovIndia (@mygovindia) May 28, 2020
With that in place, the Government has also announced a bug bounty program to allow security researchers to “responsibly” disclose vulnerabilities in the Aarogya Setu app and also get rewarded for their findings. There are a few guidelines to follow though. To begin with, the reported vulnerability should be present in the Aarogya Setu app or its source code or back-end server only and not in the platform such as operating system, cloud, web, server or database, or in technology such as Bluetooth, GPS or SMS. Also, the said vulnerability should be exploitable on “an unrooted phone running a version of Android supported by AarogyaSetu, with ADB Disabled and with all default Android security features in place.”
People are also encouraged to share improvements to the source code of Aarogya Setu as part of the bug bounty program. The Government notes that the “suggested code improvement should have a significant impact on the app’s overall performance improvement, battery usage reduction, memory and bandwidth reduction.”