wordpress blog stats
Connect with us

Hi, what are you looking for?

Aarogya Setu Bug Bounty Programme for Android: All you need to know

Aarogya Setu, Bug Bounty
Credit: Aditi Agrawal

Until June 26 midnight, cybersecurity researchers residing in India can be rewarded up to ₹1,00,000 per security vulnerability that they find in Aarogya Setu’s Android app and up to ₹1,00,000 for suggesting code improvements. MyGov CEO Abhishek Singh and National Informatics Centre (NIC) Director General Dr Neeta Verma had announced the bug bounty programme at the press conference on May 26 announcing the open-sourcing of Aarogya Setu’s Android code. MyGov released the details for the bounty on its website. This comes at the heels of an update to the app’s Terms of Service, which removed a prohibition on reverse engineering the app and created a mechanism for people to report defect and bugs in the app that they find.

The programme allows researchers to report two things: security/privacy flaws, and improvements that can be made to the source code.

How can security researchers report bugs and improvements?

To report security/privacy flaws, researchers can send an email to as-bugbounty@nic.in with the subject “Security Vulnerability Report”. The Aarogya Setu team will first verify the existence of the vulnerability and then patch it. Only such responsible disclosures that haven’t been revealed publicly before resolution will be eligible for reward.

To suggest improvements to the source code, researchers can send an email to as-bugbounty@nic.in with the subject “Code Improvement”. Researchers must send detailed program code change, test data and a proof of concept (PoC) showing the impact of the change, and ensure that the change should work on all supported devices (Android v 5.0 and later) with all existing functions and features.

In both cases, researchers must document their findings using screenshots and/or video of the PoC; steps to reproduce the vulnerability/improvement; and details of the vulnerability itself. After that, the Aarogya Setu team will send a confirmation of receipt, take steps to reproduce the research, notify of remediation, or reach out for clarification.

Advertisement. Scroll to continue reading.

To submit as an organisation, due authorisation must be obtained from the organisation and should be attached as part of the submission. Submissions must contain name, address, company details (if any) and mobile number for further communication and not be sent from disposable email addresses or anonymous email services.

  • If researchers come across any personal information which is not their own, they must not access it, immediately stop testing and inform the Aarogya Setu team about the vulnerability. Researchers must not save/transfer/retain/copy/disclose personal information of any other app user.
  • If testing results in performance degradation of the target systems, researchers must immediately suspend their testing.
  • If a researcher is non-responsive to requests after 3 days, the submission(s) may be closed.
  • The researcher must be willing to work and coordinate with the Aarogya Setu team to test the effectiveness of and implement vulnerability mitigation.
  • Code submitted as part of the submission must be the original work of the individual, but all rights related to the code will belong to NIC.
  • All communication with Aarogya Setu team about this programme must be kept confidential, else the submission will be disqualified.

Who is eligible?

All residents of India except people or companies that are employed/working for the app itself or its related activities, and employees (and family members) of NIC, MEITY and their constituent organisation.

For people who reside outside India, a certificate of appreciation will be issued for valid submissions shortlisted by the Aarogya Setu team, but they will not be eligible for any rewards.

What qualifies as a vulnerability?

If the vulnerability

  • is exploitable on a phone that is unrooted (that is, it is not “jailbroken” though the term is used for iOS devices), has ADB (Android Debug Bridge) disabled, and all default Android security features in place, and
  • is present in the app, its source code, or backend server (code for backend server will be open source in the next two weeks) and NOT in the operating system, cloud, web server, database, or technology/services such as Bluetooth, GPS and SMS, and
  • has one of the following characteristics where by exploiting the vulnerability, the person can
    1. access personal data stored on the device or remotely submit a self-assessment through the device, or
    2. access other people’s data on the device other than Aarogya Setu data and device ID (DiD) data broadcast by Bluetooth in the vicinity of the device, or
    3. compromise Aarogya Setu server or hack them such that the servers become buggy, crash or expose any personal data other than the user’s own data or services provided by existing APIs.

It is interesting that if people are able to access DiDs of other users on their devices is not a vulnerability because as per the privacy policy, “Personal information that is stored in the Apps of other registered users that you come in contact with is securely encrypted and are incapable of being accessed by such user”.

To qualify for the reward, the researcher must be the first person to alert the Aarogya Setu team of the previously unknown vulnerability.

What qualifies as a code improvement?

If it has a significant (more than 10%) impact on the app’s overall performance, battery usage reduction, memory and bandwidth reduction on all supported Android versions, it will qualify as a code improvement. This change must not cause degradation in the app or lead to any security vulnerabilities/issues.

How will the reward work?

  • All qualifying submissions will receive a certificate of appreciation.
  • If multiple researchers/companies submit more than one qualifying submission, the Aarogya Setu team may shortlist the submissions based on ease of exploitation, severity, impact and exposure of data (if any), and the reward amount may be divided accordingly.

Read the Aarogya Setu Bug Bounty Programme for Android App here.

Advertisement. Scroll to continue reading.
Written By

Send me tips at aditi@medianama.com. Email for Signal/WhatsApp.

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Releasing the policy is akin to putting the proverbial 'cart before the horse'.


The industry's growth is being weighed down by taxation and legal uncertainty.


Due to the scale of regulatory and technical challenges, transparency reporting under the IT Rules has gotten off to a rocky start.


Here are possible reasons why Indians are not generating significant IAP revenues despite our download share crossing 30%.


This article addresses the legal and practical ambiguities in understanding the complex crypto ecosystem in India.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ