Any security researcher or developer who identifies vulnerabilities or loopholes in the Aarogya Setu app and brings it to the notice of the government can now win a reward of up to Rs 3 lakh.
The Aarogya Setu Bug Bounty Programme
In the latest move to enhance the quality of its COVID-19 contact tracing app, the government has launched the Aarogya Setu Bug Bounty Programme. Under this, members of the Indian developer community or users of the app stand a chance to win cash prizes ranging between Rs 1 lakh to Rs 3 lakh, depending upon the nature of the security flaw they identify in the app, or suggestions put forth for improvement in its source code.
The idea behind eliciting people's participation is to join hands with security researchers, developers and users to further bolster the security effectiveness of the app.
How to make a 'responsible disclosure' to report a flaw
If one is able to identify security or privacy-related flaws, the same should be notified exclusively to firstname.lastname@example.org. The subject line must read as Security Vulnerability Report. The team of the Aarogya Setu app will then verify the vulnerability (if any) and accordingly take action to fix it.
This method has to be followed in order to qualify as a 'responsible disclosure'. Only those who make such 'responsible disclosures' will be eligible for the rewards.
Other eligibility requirements
The vulnerability must be a 'qualifying vulnerability' as detailed in the programme document. The same should not have been publicly disclosed by the individual, prior to the government's resolution.
The individual (researcher) or company reporting the vulnerability or code improvements should not be employed with or working for the Aarogya Setu Project or related initiatives. Employees (including their family members) of the National Informatics Centre (NIC) and the Ministry of Electronics and Information Technology (MeitY) and its constituent organisations are also not eligible.
All submissions should have a written undertaking stating that the author/authors of the submission have read and understood the Aarogya Setu Bug Bounty Programme document and that they adhere to all the clauses mentioned in the document.
Who can participate and win rewards
The programme is open to only those residing in India. People residing outside the country are also allowed to make submissions under the bug bounty programme, but there will be no cash rewards for them.
Submissions can be made either by individuals or in a group of not more than 5 or in the name of an organisation.
The Bug Bounty programme is open from 00:00 hrs on May 27 to 23:59 hrs on June 26, 2020. Only entries received between this period shall be eligible to be considered for the rewards.