What’s a Bug Bounty? Decoding Aarogya Setu’s ₹3 Lakh Prize Money

The government on Tuesday, 26 May, released the source code for the Android version of Aarogya Setu App. “Aarogya Setu is now open source,” declared Amitabh Kant, CEO, NITI Aayog at the press conference.

At the same event, Dr Neeta Verma, Director General, National Informatics Centre, (NIC) announced the app will also contain a bug bounty scheme of up to Rs 3 lakh.

Terming it as a “major step”, Ajay Prakash Sawney, Secretary, Electronics & IT Ministry, said, “We are opening the heart of this functional system used by 11.5 crore people.”

According to the government, alongside the release of the app’s source code, announcing a bug bounty program is an effort towards transparency and indicative of its willingness to engage with security researchers.

This leads to the question: what is bug bounty?

Bug bounty programs are often initiated to supplement internal code audits as part of an organisation's vulnerability management strategy.

Full-time bounty hunters can earn millions of dollars in bug bounty rewards for responsible disclosures of vulnerabilities in software products.

In 2019, at least six individual hackers earned over one million dollars each from hacking, Hackerone, a bug bounty platform had announced. Among them was Santiago Lopez, a 19-year-old from Argentina who became the world's first hacker to earn $1 million with bug bounty programs.

In 2019 Google paid out $6.5 million in bug-bounty rewards. The Android Security Rewards program meanwhile added additional exploit categories, and raised the top prize to $1 million.

Apple, too, has opened its previously-closed bug bounty program for all security researchers wherein it will pay between $100,000 (Rs 71.1 lakh approx) to $1 million (Rs 10 crore approx).

What About Bug Bounty Programs in India?

While such programs are common in the United Stated of America and Europe, there are very few Indian software and technology companies that offer monetary rewards to security analysts and hackers for finding vulnerabilities and reporting them.

In India bug reporting programs exist but not many bug bounty programs. In India, companies do want to accept bug reports but do not account for monetary rewards for disclosures in their budgets,” said Karan Saini, a security researcher based in Bangalore.

“Since Aarogya Setu got attention from the likes of French hacker Robert Baptiste (known by pseudonym Elliot Alderson), they had to open a direct line of communication about any vulnerabilities,” Saini added.

Saini, who has reported vulnerabilities in the past as part of bug bounty programs, explained that in offering monetary rewards, “Big companies offload the responsibility of finding vulnerabilities to third parties.”

Even though Indian companies aren’t known to offer bug bounties, Indian hackers reporting vulnerabilities is a large and thriving community.

Shubham Patel, a 21-year-old bounty hunter from Morbi in Gujarat, is among the top 100 hackers on the platform.

Known by his username Cuso4 on the platform, he is currently ranked 83 among 6 lakh users on HackerOne. Patel has made disclosures to companies like Sony, Alibaba, PayTm, Xiaomi among others.

Earlier in 2020, he had won a bounty of Rs 34,000 from PayTm and has now launched his own cybersecurity company.

“Very few Indian companies have bug bounty programs, something that has to change in order to promote better security. Aarogya Setu’s porgram is a step in the right direction and it appears that the government is finally getting serious about security issues,” Patel told The Quint.

“Earlier this year I was also invited by the National Crime Records Bureau (NCRB) for their bug bounty event. We were given access to a police website and asked to hack into one of their databases,” Patel added.

According to him “In a month a full-time bounty hunter can earn up to Rs 6-7 lakh.”

“Im creating an Indian version of HackerOne. The idea is to make a private platform where companies and top hackers globally can register and ecosystem in India can be created” he said.

What Is Aarogya Setu Offering?

According to the official description, the program has two major goals:

• To test the security effectiveness of Aargoya Setu
• To improve or enhance its security and build user’s trust.

The document specifies the responsible disclosure made by security researchers must be “a previously unknown valid security vulnerability” and “the exploitability of the reported vulnerabilities should be viewed in the context of a normal smartphone user.”

Three kinds of vulnerabilities would be eligible for rewards

1. By exploiting the vulnerability, one should be able to access an individual’s Aarogya Setu data on an Android phone, or remotely submit a self-assessment through the phone.
2. By exploiting the vulnerability, one should be able to access other people’s data from an individual’s app or phone
3. The vulnerability should be able to compromise Aarogya Setu servers or hack the servers such that the servers become buggy, crash or expose any personal data.

In addition to bug bounty, a reward of Rs 1 lakh has also been offered for code improvement that have “a significant impact on the app’s overall performance improvement, battery usage reduction, memory and bandwidth reduction.”

Issues With Aarogya Setu’s Bug Program

Both security researchers The Quint spoke with pointed out the manner in which Aarogya Setu is accepting responsible disclosures of bugs.

Unlike most companies that register on bug bounty platforms like BugCrowd or HackerOne, Aarogya Setu is accepting reports via e-mail.

“Security or Privacy related flaws discovered by the security researchers should be notified to : as-bugbounty@nic.in only, with subject line : Security Vulnerability Report” the official document states.

1. TRANSPARENCY ISSUES

Saini points out that Aarogya Setu does not have any public bug tracker apart from GitHub. “Even if i submit a vulnerability report there is no mechanism as such to acknowledge the receipt of my report. Ideally a dashboard announces that a reported bug has been received, acknowledged or dismissed, and ultimately fixed,” he said.

“In terms of transparency, having a public bug tracker is important,” he added.

2. PROGRAM FOR 30-DAYS ONLY

The program is open only for 30 days, from 27 May to 26 June. Only entries received between this period shall be considered for the reward. Researchers say that this is not a common practice among companies that have bounty programs.

3. E-MAIL SUBMISSION A CUMBERSOME IDEA

Shubham Patel pointed out that the app’s bounty program only receives submissions through e-mail, a process that isn’t the most efficient and can get difficult to manage. “They may get over 500 mails a day from India and around the world. A platform makes this easier,” he said. In a month the mails may run into tens of thousands.

4. DEFINING SECURITY VULNERABILITIES

While the program document outlines the scope of vulnerabilities, it does not specify the different categories of vulnerabilities. “Organisations with robust programs go into granular detail about the different kinds of vulnerabilities they are looking for and how much they would pay for each,” Saini said.

"Along with this, they also outline what areas of the infrastructure researchers should refrain from interacting with, as well as several types of bugs researchers should refrain from submitting reports for,” he further added.