This week, Aarogya Setu did something that we weren¡¯t¡¯ expecting it would. It made the app open-sourced and released the source code on GitHub.?
This basically meant that the government is ready to show what¡¯s happening behind the scenes in the app, giving a look at the app¡¯s insides. This was huge and looks like it is trying hard to earn people¡¯s trust (especially after MIT Technology Review has been worsening its rating for the app).?
However, along with this, the app developers have also opened channels for people to report bugs and security issues/ vulnerabilities found within the app to help it make more seamless and secure. These bug reports will also be rewarded with a cash reward of up to Rs 4 lakh.?
In case you understand app development and are wanting to get a piece of this action, you can head to look at the app on GitHub here. In case you find a bug, or if you want to post any improvements to the source code, you can simply send an email to 'as-bugbounty@nic.in'. Make sure the subject line is ¡®Code Improvement.¡¯
The security researchers are asked to document their findings in an appropriate manner and provide steps to reproduce and send the report on the aforementioned email ID. Only reports with complete vulnerability detail with screenshots/ videos will be eligible to be considered for a reward.
According to the terms and conditions, in case someone wants to report a security vulnerability, it should be exploitable on an unrooted phone running a version of Android supported by AarogyaSetu, with ADB Disabled and with all default Android security features in place.
It also states three categories of vulnerabilities that will be eligible for a reward:
-By exploiting the vulnerability, one should be able to access an individual's Aarogya Setu data on an Android phone, or remotely submit a self-assessment through the phone.?
-By exploiting the vulnerability, one should be able to access other people's data from an individual's app or phone -- other than their own Aarogya Setu data and other than Digital ID (DiD) data broadcast by Bluetooth in the vicinity of the phone.?
-The vulnerability should be able to compromise Aarogya Setu servers or hack the servers such that the servers become buggy, crash or expose any personal data other than the user's own data or services already provided by the existing APIs.
The maximum reward is up to Rs 1 lakh per vulnerability. Submission can be made for a single bug or for all three. For suggestions, the maximum reward is up to Rs 1 lakh. The bug bounty programme is open from starting May 27, 2020 to June 26, 2020.