wordpress blog stats
Connect with us

Hi, what are you looking for?

Aarogya Setu Bug Bounty Programme for Android: All you need to know

Aarogya Setu, Bug Bounty
Credit: Aditi Agrawal

Until June 26 midnight, cybersecurity researchers residing in India can be rewarded up to ₹1,00,000 per security vulnerability that they find in Aarogya Setu’s Android app and up to ₹1,00,000 for suggesting code improvements. MyGov CEO Abhishek Singh and National Informatics Centre (NIC) Director General Dr Neeta Verma had announced the bug bounty programme at the press conference on May 26 announcing the open-sourcing of Aarogya Setu’s Android code. MyGov released the details for the bounty on its website. This comes at the heels of an update to the app’s Terms of Service, which removed a prohibition on reverse engineering the app and created a mechanism for people to report defect and bugs in the app that they find.

The programme allows researchers to report two things: security/privacy flaws, and improvements that can be made to the source code.

How can security researchers report bugs and improvements?

To report security/privacy flaws, researchers can send an email to as-bugbounty@nic.in with the subject “Security Vulnerability Report”. The Aarogya Setu team will first verify the existence of the vulnerability and then patch it. Only such responsible disclosures that haven’t been revealed publicly before resolution will be eligible for reward.

To suggest improvements to the source code, researchers can send an email to as-bugbounty@nic.in with the subject “Code Improvement”. Researchers must send detailed program code change, test data and a proof of concept (PoC) showing the impact of the change, and ensure that the change should work on all supported devices (Android v 5.0 and later) with all existing functions and features.

In both cases, researchers must document their findings using screenshots and/or video of the PoC; steps to reproduce the vulnerability/improvement; and details of the vulnerability itself. After that, the Aarogya Setu team will send a confirmation of receipt, take steps to reproduce the research, notify of remediation, or reach out for clarification.

To submit as an organisation, due authorisation must be obtained from the organisation and should be attached as part of the submission. Submissions must contain name, address, company details (if any) and mobile number for further communication and not be sent from disposable email addresses or anonymous email services.

  • If researchers come across any personal information which is not their own, they must not access it, immediately stop testing and inform the Aarogya Setu team about the vulnerability. Researchers must not save/transfer/retain/copy/disclose personal information of any other app user.
  • If testing results in performance degradation of the target systems, researchers must immediately suspend their testing.
  • If a researcher is non-responsive to requests after 3 days, the submission(s) may be closed.
  • The researcher must be willing to work and coordinate with the Aarogya Setu team to test the effectiveness of and implement vulnerability mitigation.
  • Code submitted as part of the submission must be the original work of the individual, but all rights related to the code will belong to NIC.
  • All communication with Aarogya Setu team about this programme must be kept confidential, else the submission will be disqualified.

Who is eligible?

All residents of India except people or companies that are employed/working for the app itself or its related activities, and employees (and family members) of NIC, MEITY and their constituent organisation.

For people who reside outside India, a certificate of appreciation will be issued for valid submissions shortlisted by the Aarogya Setu team, but they will not be eligible for any rewards.

What qualifies as a vulnerability?

If the vulnerability

  • is exploitable on a phone that is unrooted (that is, it is not “jailbroken” though the term is used for iOS devices), has ADB (Android Debug Bridge) disabled, and all default Android security features in place, and
  • is present in the app, its source code, or backend server (code for backend server will be open source in the next two weeks) and NOT in the operating system, cloud, web server, database, or technology/services such as Bluetooth, GPS and SMS, and
  • has one of the following characteristics where by exploiting the vulnerability, the person can
    1. access personal data stored on the device or remotely submit a self-assessment through the device, or
    2. access other people’s data on the device other than Aarogya Setu data and device ID (DiD) data broadcast by Bluetooth in the vicinity of the device, or
    3. compromise Aarogya Setu server or hack them such that the servers become buggy, crash or expose any personal data other than the user’s own data or services provided by existing APIs.

It is interesting that if people are able to access DiDs of other users on their devices is not a vulnerability because as per the privacy policy, “Personal information that is stored in the Apps of other registered users that you come in contact with is securely encrypted and are incapable of being accessed by such user”.

To qualify for the reward, the researcher must be the first person to alert the Aarogya Setu team of the previously unknown vulnerability.

What qualifies as a code improvement?

If it has a significant (more than 10%) impact on the app’s overall performance, battery usage reduction, memory and bandwidth reduction on all supported Android versions, it will qualify as a code improvement. This change must not cause degradation in the app or lead to any security vulnerabilities/issues.

How will the reward work?

  • All qualifying submissions will receive a certificate of appreciation.
  • If multiple researchers/companies submit more than one qualifying submission, the Aarogya Setu team may shortlist the submissions based on ease of exploitation, severity, impact and exposure of data (if any), and the reward amount may be divided accordingly.

Read the Aarogya Setu Bug Bounty Programme for Android App here.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

News

The Singapore government has confirmed that data from its coronavirus contact tracing app TraceTogether can be used by law enforcement for criminal investigations. Speaking...

News

The Bombay High Court on Wednesday issued notice to the central government in response to a plea challenging the de-facto imposition of Aarogya Setu...

News

The Indian government has recommended organisations and businesses with more than 50 employees to use the Aarogya Setu OpenAPI service. The Open API Services...

News

The National Informatics Centre (NIC) refused to provide the list of companies that have access to the Aarogya Setu Open API in an RTI...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2018 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to Daily Newsletter

    © 2008-2018 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ