Until June 26 midnight, cybersecurity researchers residing in India can be rewarded up to ₹1,00,000 per security vulnerability that they find in Aarogya Setu’s Android app and up to ₹1,00,000 for suggesting code improvements. MyGov CEO Abhishek Singh and National Informatics Centre (NIC) Director General Dr Neeta Verma had announced the bug bounty programme at the press conference on May 26 announcing the open-sourcing of Aarogya Setu’s Android code. MyGov released the details for the bounty on its website. This comes at the heels of an update to the app’s Terms of Service, which removed a prohibition on reverse engineering the app and created a mechanism for people to report defect and bugs in the app that they find.

The programme allows researchers to report two things: security/privacy flaws, and improvements that can be made to the source code.

How can security researchers report bugs and improvements?

To report security/privacy flaws, researchers can send an email to as-bugbounty@nic.in with the subject “Security Vulnerability Report”. The Aarogya Setu team will first verify the existence of the vulnerability and then patch it. Only such responsible disclosures that haven’t been revealed publicly before resolution will be eligible for reward.

To suggest improvements to the source code, researchers can send an email to as-bugbounty@nic.in with the subject “Code Improvement”. Researchers must send detailed program code change, test data and a proof of concept (PoC) showing the impact of the change, and ensure that the change should work on all supported devices (Android v 5.0 and later) with all existing functions and features.

In both cases, researchers must document their findings using screenshots and/or video of the PoC; steps to reproduce the vulnerability/improvement; and details of the vulnerability itself. After that, the Aarogya Setu team will send a confirmation of receipt, take steps to reproduce the research, notify of remediation, or reach out for clarification.

To submit as an organisation, due authorisation must be obtained from the organisation and should be attached as part of the submission. Submissions must contain name, address, company details (if any) and mobile number for further communication and not be sent from disposable email addresses or anonymous email services.

  • If researchers come across any personal information which is not their own, they must not access it, immediately stop testing and inform the Aarogya Setu team about the vulnerability. Researchers must not save/transfer/retain/copy/disclose personal information of any other app user.
  • If testing results in performance degradation of the target systems, researchers must immediately suspend their testing.
  • If a researcher is non-responsive to requests after 3 days, the submission(s) may be closed.
  • The researcher must be willing to work and coordinate with the Aarogya Setu team to test the effectiveness of and implement vulnerability mitigation.
  • Code submitted as part of the submission must be the original work of the individual, but all rights related to the code will belong to NIC.
  • All communication with Aarogya Setu team about this programme must be kept confidential, else the submission will be disqualified.

Who is eligible?

All residents of India except people or companies that are employed/working for the app itself or its related activities, and employees (and family members) of NIC, MEITY and their constituent organisation.

For people who reside outside India, a certificate of appreciation will be issued for valid submissions shortlisted by the Aarogya Setu team, but they will not be eligible for any rewards.

What qualifies as a vulnerability?

If the vulnerability

  • is exploitable on a phone that is unrooted (that is, it is not “jailbroken” though the term is used for iOS devices), has ADB (Android Debug Bridge) disabled, and all default Android security features in place, and
  • is present in the app, its source code, or backend server (code for backend server will be open source in the next two weeks) and NOT in the operating system, cloud, web server, database, or technology/services such as Bluetooth, GPS and SMS, and
  • has one of the following characteristics where by exploiting the vulnerability, the person can
    1. access personal data stored on the device or remotely submit a self-assessment through the device, or
    2. access other people’s data on the device other than Aarogya Setu data and device ID (DiD) data broadcast by Bluetooth in the vicinity of the device, or
    3. compromise Aarogya Setu server or hack them such that the servers become buggy, crash or expose any personal data other than the user’s own data or services provided by existing APIs.

It is interesting that if people are able to access DiDs of other users on their devices is not a vulnerability because as per the privacy policy, “Personal information that is stored in the Apps of other registered users that you come in contact with is securely encrypted and are incapable of being accessed by such user”.

To qualify for the reward, the researcher must be the first person to alert the Aarogya Setu team of the previously unknown vulnerability.

What qualifies as a code improvement?

If it has a significant (more than 10%) impact on the app’s overall performance, battery usage reduction, memory and bandwidth reduction on all supported Android versions, it will qualify as a code improvement. This change must not cause degradation in the app or lead to any security vulnerabilities/issues.

How will the reward work?

  • All qualifying submissions will receive a certificate of appreciation.
  • If multiple researchers/companies submit more than one qualifying submission, the Aarogya Setu team may shortlist the submissions based on ease of exploitation, severity, impact and exposure of data (if any), and the reward amount may be divided accordingly.

Read the Aarogya Setu Bug Bounty Programme for Android App here.