Govt offering up to 4 lakhs to find bugs in Aarogya Setu

The government made its Covid-19 contact tracing app open source. Along with it a bug bounty programme for Aarogya Setu was also announced. Anyone who reports a vulnerability in the app will be rewarded up to ₹4 lakhs.

The bug bounty programme is open to anyone with knowledge of the same, and who can report any vulnerability in the app. Interested users can send an email to bugbounty@nic.in with the subject line “Security Vulnerability Report”. Users can also suggest improvements to the source code of Aarogya Setu by sending an email with the subject line “Code Improvement”.

For reports that are approved, the user or researcher will be notified about it. Researchers who discover any vulnerability are not allowed to publicly disclose it before it has been resolved. Also, this bug bounty programme is not eligible for employees from the Aarogya Setu team, the National Informatics Centre (NIC) and Ministry of Electronics and IT (MeitY).

Researchers will be awarded ₹3 lakhs for finding and reporting security vulnerabilities in Aarogya Setu. ₹1 lakh per vulnerability will be given. As for suggesting improvements in the source code, up to ₹1 lakh will be awarded to the researchers.

The bug bounty programme started on May 27 and it will continue till June 26. So all those who are interested will have to submit their reports within this period. Full guidelines and rules for the bug bounty programme can be found here.