Aarogya Setu Bug Bounty Programme for Android App
What is Aarogya Setu App
Aarogya Setu is a mobile application is developed by GOI ( Government of India ) to protect the citizen of India in the combined fight against COVID-19. The app is aimed at augmenting the initiatives of the Govt. of India in proactively reaching out to and informing the users of the app regarding risks, the best practices, and relevant advisories pertaining to the containment of COVID-19.
Aarogya Setu app was launched on 2nd April 2020, for helping augments the efforts of limiting the spread of COVID-19, with an objective of enabling Bluetooth based contact tracing, mapping of likely hotspots and dissemination of relevant information about COVID-19.
The app has over 114 Million users as on 26th May 2020, which is more than any other contact Tracing app in the world.
The app is available in 12 languages and available on Android, iOS, and KaiOS platforms. Citizens across the country are using Aarogya Setu to protect themselves, their loved one’s ones, and the nation.
However, there were many questions raised on the Aarogya setu app about security, privacy, and transparency. But the government has always denied on the privacy and security flaws.
To show transparency and security the government has now made Aarogya Setu open source. The Aarogya Setu source code has been made open source. The source code for the Android version of the application is available for review and collaboration at Github.
The iOS version of the application will be released as open-source within the next two weeks and the server code will be released subsequently. Almost 98% of Aarogya Setu users are on the Android platform.
Bug Bounty Programme
Aarogya Setu’s Bug Bounty Program has been prepared with the goal to partner with the security researchers and Indian developers community to test the security effectiveness of Arrrogya Setu and also to improve or enhance its security and build user’s trust.
How Bug Bounty Programme Will Work
- Aarogya Setu production build of the android app, followed by the iOS along with API documentation will be made available to the open-source research community.
- Everyone, including researchers and users of AarogyaSetu, is encouraged to report any vulnerability impacting the privacy and Information security posture of the Aarogya Setu application.
- Security or Privacy related flaws discovered by the security researchers should be notified to firstname.lastname@example.org only, with subject line: Security Vulnerability Report, so that the Aarogya Setu team can first verify the vulnerability ( if any ) and take action to fix the vulnerability. Doing so will be called ‘Responsible disclosure’ and only such responsible disclosures shall be eligible for rewards.
- Any improvement to the source code of Aarogya Setu can also be reported to email@example.com, With the subject line: Code Improvement.
- Security Research will document their findings thoroughly, providing steps to reduce and send a report to us at the firstname.lastname@example.org video of POC, are essential for being eligible for a reward.
- AarogyaSetu Team will contact the research to confirm that we’ve received the report the trace steps to reproduce the research.
- AarogyaSetu Team will notify the research of remediation and may reach out for questions or clarification.
- AarogyaSetu Team will work to make the necessary improvements and remediation to fix the vulnerability.
Reward Categories For Bug Bounty Program
|Bounty/Reward Categories||Maximum Reward Amount (in INR)||Email ID for reporting|
|Security Vulnerability||Rs. 300000 (Rupees Three lakhs)|
Upto Rs.100000(Rs one lakh) per vulnerability mentioned under point 3.2 “in-scope vulnerabilities “.Submission can be done for one individually or all three.Please mention in the submission accordingly.
|Suggestion/Improvement in the source code||Upto Rs 100000 ( Rupees One lakh ) for the in -scope code improvement mentioned In official noticayion.||As- email@example.com|
This Bug Bounty programme is open from 00:00 hrs 27-May-2020 to 23:59 hrs 26-June-2020. Only entries received between this period shall be considered for the reward.
More details of these programs can be read on the NIC Website of from MYGov official website.