Aarogya Setu is now open source
Aarogya Setu is a mobile application developed by the Government of India to connect essential health services with the people of India in our combined fight against COVID-19. The App is aimed at augmenting the initiatives of the Government of India, particularly the Department of Health, in proactively reaching out to and informing the users of the app regarding risks, best practices and relevant advisories pertaining to the containment of COVID-19.
Vulnerability and Code ImprovementsRating and Rewards
The exploitability of the reported Vulnerabilities should be viewed in the context of a normal smartphone user. The ease of exploitability, the impact of the vulnerability and amount/type of personal data (of other Users) exposed. Shall be factored in while shortlisting the reported vulnerability to be considered for a reward. Security Researcher will qualify for a reward if he/she is the first person to alert the AarogyaSetuTeam to a previously unknown valid security vulnerability and if the reported vulnerabilityconfirms to the Scope mentioned in Section 3.0. In addition to providing rewards for responsible disclosure of the vulnerability, appropriate rewards shall be awarded to the Researchers who makes responsible disclosure for anysuggestions onthe improvements in the source code or the Application from a security perspective. While providing the suggestions the Researchers should provide the detailed code snippet for implementing their suggestion/improvement. They should also ensure that upon implementing their suggestion/improvement, the App should still work on all supported devices (i.e., Android version 5.0 and above), with all existing functionalities and features intact.
All submissions that qualify as per the terms of this notification shall receive a certificate of appreciation.
If more than one qualifying submission is received from multiple researchers/companies, then the Aarogya Setu team may shortlist the submissions based on their ease of exploitation, severity, impact and exposure of data (if any), for further consideration. The reward amount may be divided accordingly.
Rules for reporting a Vulnerability or a Code improvement
• This Bug bounty programme is open to people residing in India.
• People residing outside India may also make submissions in the bug bounty but they shall not be eligible for any rewards. However, if they make any valid submissions which are shortlisted by the Aarogya Setu team, they would be issued a certificate of appreciation for their contribution.
• This Bug bounty programme is open from 00:00 hrs 27-May-2020 to 23:59 hrs 26-June-2020. Only entries received between this period shall be considered for the reward.
• If a disclosed vulnerability or source code improvement is shortlisted for the reward, then the researcher shall provide his/her Government ID Proof, bank account details…etc., in order to claim the reward amount.
• The submissions can be done either as an Individual or as a Group of Individuals (not more than 5) or in the name of an Organization. At the time of submission, this detail should be clearly mentioned. The person who is making a submission on behalf an Organization, should obtain due authorization from their respective Organization before making the submission and attach the authorization letter/mail as part of the submission.
• Security Researchers should not access any personal information that is not their own, including by exploiting any vulnerability that they may come across. NIC Page 8
• In order to be considered for a reward, the submissions must be made exclusively to specified email ID :[email protected] for both security vulnerabilities and code improvement. The submission should contain the name, address, company details if any and mobile number for further communication. The email address used for the submission will be used for all communications post submission. Communication received from any other email address will not be accepted. Use of anonymous email service or disposable email addresses for the submissions are not allowed.
• Actions which affect the integrity or availability of AarogyaSetu application are strictly prohibited.
• If the security researchernotices performance degradation on the target systems, they must immediately suspend their testing.
• Submissions may be closed if a Researcher is non-responsive to requests for information after 3 days.
• The Security Researcher should co-ordinate with the AarogyaSetu team in testing the effectiveness of the vulnerability mitigation.
• If the Security Researcher has come across or gained access to the personal data of other Users of AarogyaSetu, then He/She shall immediately stop the testing and inform AarogyaSetu team about the vulnerability.
• At no point of time, a Security Researcher shallcopy, save, disclose, retainor transfer the data or personal information of any User (apart from his/her own data) of the AarogyaSetu.
• Researchers while reporting the vulnerability should include a video or screenshot along with a Proof-of-Concept and a step wise instructionto demonstrate the vulnerability and its exploitation, in their submissions. These files should not be shared publicly. This includes uploading to any publicly accessible websites (i.e. YouTube, twitter, facebook, etc.).
• The Researcher should share detailed code snippet for the code improvements which are being proposed. The adverse security impact of not implementing the code improvement suggested by the Researcher, should also be provided in detail, along with necessary screenshots, evidences, Proof of Concepts (where applicable).
• Social engineering (e.g. phishing, vishing, smishing) is prohibited.
• Researchers shall take necessary precautions to avoid privacy violations, destruction of data, and interruption or degradation of AarogyaSetu service.
• Researchers should not perform DoS or DDoS attacks.
• Researchers should not run any automated or manual scans against the back-end infrastructure. NIC Page 9
• The Vulnerability reported or the Source code improvement reported, should be original and should not be previously reported by anyone.
• The Researcher should be ready to work and co-ordinate with AarogyaSetu team in implementing the code improvement or bug fixes, testing the Application or code, debugging or troubleshooting issues related to the bug or code improvement.
• Code submitted as part of the submission should be the original work of the individual and all rights related to the code will be under the ownership of NIC.
• All communications made with the Aarogya Setu team with respect to the bug bounty programme should be kept confidential and should not be shared with anyone, nor posted on any public platforms. Doing so will disqualify the submission.
• At any point of time, if the information submitted by the researchers or companies is found to be false, then their submission shall be summarily rejected and they shall forfeit all rewards.
• The decision of Aarogya Setu team is final and binding on all aspects related to this bug bounty programme.