Although companies run bug bounty programmes for a government to do is a bit unusual, especially for an Indian government.
In 2018, Henry Timms and Jeremy Heimans unveiled a book called New Power. The premise was simple, it presented examples of how the world was changing and how government and people need to be open to the idea of community participation. This certainly does not mean a descent into anarchy, but leveraging tech to crowdsource a better future. The authors would be delighted to see government’s turning to hackathons to crowdsource solutions to tackle the current epidemic.
While India is not far behind, last week, the government took another step to opening itself up to criticism. Not many would regard Niti Aayog CEO Amitabh Kant declaring that the government’s contact tracing app, Aarogya Setu, would be open source, as revolutionary-after all a lot of companies have taken this approach-but it is certainly a big step. More critical is the other announcement of offering Rs 1 lakh to whosoever finds and reports bugs in Aarogya Setu. Open source would also allow experts to suggest ways to the government to keep the app secure. It may also end up helping other countries which are planning to launch an app of their own.
While India is certainly not the first country to make technology open source. Singapore has released its BlueTrace protocol, which can help prevent man-in-the-middle attacks on your phone by assigning a random identifier, India’s efforts, however, are commendable given that it may also urge Indian start-ups to turn to bug bounty programmes.
Although companies run bug bounty programmes for a government to do is a bit unusual, especially for an Indian government. India does have bounty hunters, but does not have a culture of bug bounty amongst companies.
While Apple, last year, announced that it would pay up to $1 million to anyone, as part of its bug bounty programme, who could discover a major security flaw, Indian tech companies have a poor track record.
Swiggy has no money disclosure on its website. PayTM, which is one of India’s leading financial payment firms, has a bug bounty programme that mirrors Facebook, with minimum payment of `500. Flipkart, which is a key e-commerce player, says it does not pay for bug reporting. Amazon India also has no bug bounty programme listed on its website.
Zomato announced that it has paid over $100,000 to researchers in its programmes, but it does not specify any terms on bug bounty. In contrast, Google paid out $3.4 million, followed by Microsoft at $2 million, whereas Facebook has shelled $1.1 million.
While Rs 1 lakh certainly fades in comparison to Google and Apple, one needs to realise that it is just a nudge. If governments are ready to pay bug bounty, then why can’t Indian companies do so.
Besides, as more people turn to online, security would become a basic requirement, and companies will need to be forced either by the government or the market to adhere to industry standards and best practices.
The government has made a start, let’s see if Indian cos will follow.