Any security researcher or developer who identifies vulnerabilities or loopholes in the Aarogya Setu app and brings it to the notice of the government can now win a reward of up to Rs 3 lakh.
The Aarogya Setu Bug Bounty Programme
In the latest move to enhance the quality of its COVID-19 contact tracing app, the government has launched the Aarogya Setu Bug Bounty Programme. Under this, members of the Indian developer community or users of the app stand a chance to win cash prizes ranging between Rs 1 lakh to Rs 3 lakh, depending upon the nature of the security flaw they identify in the app, or suggestions put forth for improvement in its source code.
The idea behind eliciting people's participation is to join hands with security researchers, developers and users to further bolster the security effectiveness of the app.
How to make a 'responsible disclosure' to report a flaw
Frequently Asked Questions
A vaccine works by mimicking a natural infection. A vaccine not only induces immune response to protect people from any future COVID-19 infection, but also helps quickly build herd immunity to put an end to the pandemic. Herd immunity occurs when a sufficient percentage of a population becomes immune to a disease, making the spread of disease from person to person unlikely. The good news is that SARS-CoV-2 virus has been fairly stable, which increases the viability of a vaccine.
There are broadly four types of vaccine — one, a vaccine based on the whole virus (this could be either inactivated, or an attenuated [weakened] virus vaccine); two, a non-replicating viral vector vaccine that uses a benign virus as vector that carries the antigen of SARS-CoV; three, nucleic-acid vaccines that have genetic material like DNA and RNA of antigens like spike protein given to a person, helping human cells decode genetic material and produce the vaccine; and four, protein subunit vaccine wherein the recombinant proteins of SARS-COV-2 along with an adjuvant (booster) is given as a vaccine.
Vaccine development is a long, complex process. Unlike drugs that are given to people with a diseased, vaccines are given to healthy people and also vulnerable sections such as children, pregnant women and the elderly. So rigorous tests are compulsory. History says that the fastest time it took to develop a vaccine is five years, but it usually takes double or sometimes triple that time.
If one is able to identify security or privacy-related flaws, the same should be notified exclusively to email@example.com. The subject line must read as Security Vulnerability Report. The team of the Aarogya Setu app will then verify the vulnerability (if any) and accordingly take action to fix it.
This method has to be followed in order to qualify as a 'responsible disclosure'. Only those who make such 'responsible disclosures' will be eligible for the rewards.
Other eligibility requirements
The vulnerability must be a 'qualifying vulnerability' as detailed in the programme document. The same should not have been publicly disclosed by the individual, prior to the government's resolution.
The individual (researcher) or company reporting the vulnerability or code improvements should not be employed with or working for the Aarogya Setu Project or related initiatives. Employees (including their family members) of the National Informatics Centre (NIC) and the Ministry of Electronics and Information Technology (MeitY) and its constituent organisations are also not eligible.
All submissions should have a written undertaking stating that the author/authors of the submission have read and understood the Aarogya Setu Bug Bounty Programme document and that they adhere to all the clauses mentioned in the document.
Who can participate and win rewards
The programme is open to only those residing in India. People residing outside the country are also allowed to make submissions under the bug bounty programme, but there will be no cash rewards for them.
Submissions can be made either by individuals or in a group of not more than 5 or in the name of an organisation.The Bug Bounty programme is open from 00:00 hrs on May 27 to 23:59 hrs on June 26, 2020. Only entries received between this period shall be eligible to be considered for the rewards.