The National Informatics Centre received 1,451 submissions under its Aarogya Setu Bug Bounty Programme for the Android app between May 26, that is, when the programme was announced, and June 27, the deadline for the programme, NIC revealed in an RTI filed by MediaNama. Of the 1,451 submissions received, 1,070 submissions were received as improvements to the code and 381 submissions were received as Security Vulnerability Reports. Read the RTI response here.
Despite asking for details of the submissions received, including, but not limited to, senders of reports and NIC’s replies to them; number, details and nature of submissions that have been accepted by the NIC, the reply to the RTI did not give those details. “The results are yet to be announced, so it may not be appropriate to share these details,” reads the response.
The RTI reply did not answer our questions about the number of people who have received the bounty and the number of certificates of appreciation that were given out since “the results are yet to be announced”.
When the Android source code was open-sourced on May 26, MyGov CEO Abhishek Singh and National Informatics Centre (NIC) Director-General Dr. Neeta Verma had also announced the bug bounty programme under which cybersecurity researchers residing in India could be rewarded up to ₹1,00,000 per security vulnerability that they find in Aarogya Setu’s Android app and up to ₹1,00,000 for suggesting code improvements. While telling MediaNama that the iOS source code has also been put in the public domain on government’s own repository of code, Singh, on August 13, had told MediaNama that the NIC will be announcing the results of the Android Bounty Programme “soon”. Thus far, NIC has not responded to MediaNama’s questions asking for details.