Aarogya Setu has taken a big step by revealing the source code of the Android version of the application to the public. On Tuesday, Aarogya Setu team announced to make the app source code and provide an opportunity for the developers to review the code and suggest improvements and also find vulnerabilities if any. The team also announced a bug bounty programme as the Aarogya Setu team wants to collaborate with developers across the country and make the app robust and secure. “Those identifying vulnerabilities, bugs or code improvement stand to get recognized and win cash awards too,” Aarogya Setu said. Prize money of 1 lakh has been announced for the country programme.
“I just want to point out that this is a very very unique thing to be done,” NITI Aayog CEO Amitabh Kant said. “No other government product anywhere in the world has been open sourced at this scale anywhere in the world.”
“AarogyaSetu application is developed keeping in mind the “Privacy by design principle”. Despite the best measures taken, the presence of vulnerabilities may exist. When such vulnerabilities are found, Government would like to learn of them as soon as possible, allowing it to take swift action to fix them and thereby enhance the security. In addition to security, suggestions for code change for enhanced efficiency are also encouraged,” the government of India stated.
To get access to the source code you will need to head over to https://github.com/nic-delhi/AarogyaSetu_Android and sign up to participate. At the time of writing the website had 76 issues and 29 pull requests. The process of supporting the open-source development will be managed by National Informatics Centre (NIC) and all code suggestions will be processed through pull request reviews.
On opening the source to the developer community the government of India said that the move signifies their continuing commitment to the principles of transparency and collaboration. “With the release of the source code in the public domain, we are looking to expanding collaboration and to leverage the expertise of top technical brains amongst the talented youth and citizens of our nation and to collectively build a robust and secure technology solution to help support the work of frontline health workers in fighting this pandemic,” the Aarogya Setu team noted.
The government has also announced that the iOS and KiOS version of the Aarogya Setu app will be released as open-source within the next two weeks and the server code will also be released subsequently. Stating the reason for releasing the code first for Android the government said nearly 98 per cent users of Aarogya Setu app use an Android phone.
With the help of the bounty programme the government of India aims to partner with security researchers and Indian developer community to test the security effectiveness of Aarogya Setu and also to improve and enhance its security and build user’s trust. The bug bounty programme will be hosted by the MyGov team and will enable security researchers to avail Rs 1 lakh bounty for finding security vulnerabilities within the app. The government has also announced another code improvement bounty of Rs 1 lakh.
To participate everyone, including researchers and users of Aarogya Setu app will need to find and report any vulnerability impacting the privacy and information security posture of the application. Any security or privacy related flaws discovered by the security researchers will then need to be notified to email@example.com with subject line “Security Vulnerability Report. “Doing so will be called ‘responsible disclosure’ and only such responsible disclosures shall be eligible for rewards.”
For reporting improvements to the source code users or researchers or developers can also report to firstname.lastname@example.org, with the subject line “Code Improvement”. The security researchers will need to document the findings thoroughly. Notably, reports with complete vulnerability details, including screenshots or video of POC, are essential for being eligible for the reward. The Aarogya Setu Team will contact the researchers to confirm that they have received their report.
The researcher will be then notified of remediation and may be reached out for questions or clarification. The AarogyaSetu Team will work to make the necessary improvements and remediation to fix the vulnerability.
Not everyone will be eligible to get rewards. Notably, only those submissions that meet the following eligibility requirements may receive a reward:
1) The vulnerability must be a qualifying vulnerability so researchers must take a note of that.
2) Security Researcher may not publicly disclose the vulnerability prior to the resolution.
3) The Researcher reporting the vulnerability improvements should not be working for AarogyaSetu Project or its related activities or initiatives.
4) Employees (including their family members) of National Informatics Centre (NIC) and Ministry of Electronics & IT (MeitY) and its constituent organizations are not eligible.
For more details of the bug bounty programme head over to MyGov website.