As we all know that Aarogya Setu is a mobile application developed by the Government of India to connect essential health services with the people of India in our combined fight against COVID-19. The App is primarily aimed at augmenting the initiatives of the Government of India, particularly the Department of Health, in proactively reaching out to and informing the users of the app regarding risks, best practices and relevant advisories pertaining to the containment of COVID-19.
The app has already reached 10 crore plus downloads from google play store. With so many users using it also collects some data and helps the app users with necessary information and alerting.
Aarogya Setu application is developed keeping in mind the “Privacy by design principle”. Despite the best measures taken, the presence of vulnerabilities may exist. When such vulnerabilities are found, Government would like to learn of them as soon as possible, allowing it to take swift action to fix them and thereby enhance the security. In addition to security, suggestions for code change for enhanced efficiency are also encouraged.
How to report aarogya setu app issues.
AarogyaSetu production build of the androidapp, followed by the iOS along with API documentation will be made available to open source research community.
Everyone, including researchers and Users of AarogyaSetu, are encouraged to report any vulnerability impacting the privacy and information security posture of AarogyaSetu application.
Security or Privacy related flaws discovered by the security researchers should be notified to : [email protected] only, with subject line : Security Vulnerability Report, so that Aarogya Setuteam can first verify the vulnerability (if any) and take action to fix the vulnerability . Doing so will be called ‘responsible disclosure’ and only such responsible disclosures shall be eligible for rewards.
Any improvements to the source code of AarogyaSetu can also be reported to [email protected], with the subject line : Code Improvement
Security Researchers will document their findings thoroughly, providing steps to reproduce and send report to us at [email protected] Reports with complete vulnerability details, including screenshots or video of POC, are essential for being eligible for reward.
Rs.300000 (Rupees Three Lakhs) reward for Security Vulnerability and Upto Rs.100000 (Rupees One Lakh) for the in-scope code improvements.
All submissions that qualify as per the terms of this notification shall receive a certificate of appreciation.
This Bug bounty programme is open from 00:00 hrs 27-May-2020 to 23:59 hrs 26-June-2020. Only entries received between this period shall be considered for the reward.