Hacking Aarogya Setu can win you ₹1 lakh to ₹3 lakh through the Indian government’s ‘bug bounty’ programme

Hacking Aarogya Setu can win you ₹1 lakh to ₹3 lakh through the Indian government’s ‘bug bounty’ programme
The Indian government is offering up rewards to anyone who can find flaws with its COVID-19 tracking app, Aarogya SetuBI India
  • The Indian government has announced a ₹3 lakh bounty for anyone who can find a vulnerability with its COVID-19 tracking app, Aarogya Setu.
  • You can also win a reward of ₹1 lakh if you make a valid suggestion for how the app can be improved.
  • Aarogya Setu’s open-source code is up for analysis on GitHub for developers to grab — and it’s a way for the government to lay to rest any privacy concerns that people may have.
There’s a ₹1 lakh reward up for grabs for anyone who can find a valid way to improve the Indian government’s COVID-19 tracking app, Aarogya Setu. Another ₹3 lakh is up for grabs if someone can point out a security vulnerability. The government wants to lay to rest any acquisitions or claims about how the data its take from users’ phone can be misappropriated.

The open-source code for the contact tracing app has been released on Github and developers are being encouraged to track down any loopholes that they can find — something that many privacy activists have been advocating ever since Aarogya Setu made its way into the limelight.

The ‘bug bounty’ programme is open to Indians as well as foreign nationals. However, only Indians are eligible to claim the money reward offered under the scheme.

“This is a unique thing to be done. No other government product anywhere in the world has been open-sourced at this scale,” announced Amitabh Kant, chief executive of NITI Aayog. The government has also promised that any updates to the app will also be made open-source through the same repository.

The question of privacy
The Indian government’s COVID-19 tracking app has repeatedly been under the lens during the lockdown. With Aarogya Setu asking for permission to access users’ data, people are concerned that they may be offering up more than they had bargained for — especially since the government of India made it mandatory for everyone to have it on their phones.

“You want to make sure that you have the right protection in your application and that equitable data is being collected. It opens up the doors for attackers. From a government’s perspective, you want to make sure that the agencies are taking the right protection,” Yuval Wollman, the President of Cyberproof and former Director-General of Israeli Intelligence told Business Insider.

Aarogya Setu has had a tough go of it ever since Twitter’s famed Elliot Alderson — real name, Robert Baptiste — pointed out that there is a security issue with the app earlier this month. “The privacy of 90 million Indians is at stake,” he wrote.

The makers of Aarogya Setu hit back saying, “No personal information of any user has been proven to be at risk by this ethical hacker. We are continuously testing and upgrading our systems.”

“Developing countries, with their limited budgets and resources, need to consider the costs versus the outcomes in tracing exposed individuals in a privacy preserving way,” said Ramesh Raskar, an MIT Media Lab professor. According to him, an app like Aarogya Setu runs the risk of exposing private data, which is especially risky considering the large data stores that a population like India has up for grabs.

Experts explain the legal and moral pitfalls in Aarogya Setu app ⁠— despite the government’s insistence that a protocol has been put in place

Amid privacy concerns, Centre makes Aarogya Setu app open source

Govt likely to make Aarogya Setu app mandatory for flyers post lockdown