NEW DELHI: After the controversy around contact tracing app, Aarogya Setu, the India government has decided to open source its source codes for scrutiny and has invited security researchers, under a bug bounty programme, to test its security robustness and find vulnerabilities that could lead to potential data breaches.
The reward for reporting a vulnerability in Aarogya Setu will be up to ₹3,00,000. For suggestions on in-scope code improvements, the reward amount will be ₹1,00,000.
“Indian cyber security researchers top the leader boards of most global bug bounty platforms. It is about time the government starts leveraging this massive pool of talent towards securing out applications and infrastructure. By channelling this energy into productive security challenges, we can greatly benefit as a nation,” said Yash Kadakia, founder & CTO, Security Brigade, a cybersecurity firm.
Widely popular with private organisations, bug bounty programme enable them to leverage the vast pool of cybersecurity talent outside of their company. Independent ethical hackers look for errors in software or configuration on their own time and then report it back to the company. This gives the companies the opportunity to patch the errors before cybercriminals stumble upon them.
Rahul Tyagi, co-founder, Lucideus, a cybersecurity firm, pointed out that such programmes are extremely valuable to organizations as it is an effective way to test the existing security posture of an application.
“Today, building software still remains a very complex and brittle process. There are both known and unknown bugs in the development process, and developers are constantly working towards fixing these. In such instances, bug bounty programmes can be effective and is a simple way to crowd-source security flaws and vulnerability management,” said Tyagi.
The Narendra Mod-led government has been very active on the digital front and has launched several apps and digital platforms for governance. However, some of them, including the Aarogya Setu app, have been shrouded in controversy due to privacy and security concerns.
In December, Indian Computer Emergency Response Team (CERT-In) reported, 48 government websites were hacked until October 2019. According to reports, Aadhaar database suffered several data breaches compromising records of 1.1 billion Indian citizens.
Several governments including US and Singapore have been using bug bounty programs to stay one step ahead of the attackers. US Department of Defence has been using bug bounty programmes to secure their vital systems for several years now.
Following the Hack the Pentagon programme which started in 2016, over 3,000 vulnerabilities have been reportedly detected and addressed in government systems through similar programs.
In addition to apprising government and organisations about vulnerabilities, bug bounty programmes also encourage researchers and ethical hackers to come forward and help by rewarding their efforts. In the absence of it there is always a possibility that they may not report it and toss it up for a few quick bucks on the Dark Web (part of internet that is not indexed by search engines).
“Bug bounty programmes push the community to move towards ethical reporting of security vulnerabilities and not disclose the data illegally or on dark web forums. We have seen a significant interest in India in contributing to various bug bounty programs,” said Tyagi.
India has been among the top contributing countries based on the bounty payouts and quality of bug reports for Facebook, according to Lucideus. Organizations such as Google and Facebook run their own bug bounty programmes that paid $2.9 million and $880,000 respectively to bug hunters.
In 2019, Apple had opened its bug bounty programme to all security researchers and increased the reward amount from $200,000 to up to $1,500,000.