Aarogya Setu has revealed the source code of the Android version of the application to the public. On Tuesday, Aarogya Setu team announced to make the app source code and provide an opportunity for the developers to review the code and suggest improvements and also find vulnerabilities if any.
The team also announced a bug bounty programme as the Aarogya Setu team wants to collaborate with developers across the country and make the app robust and secure.
“Those identifying vulnerabilities, bugs or code improvement stand to get recognized and win cash awards too,” Aarogya Setu said. Prize money of 1 lakh has been announced for the country programme.
“I just want to point out that this is a very very unique thing to be done,” NITI Aayog CEO Amitabh Kant said. “No other government product anywhere in the world has been open-sourced at this scale anywhere in the world.”
Here’s how to access Aarogya Setu source code
To get access to the source code you will need to head over to https://github.com/nic-delhi/AarogyaSetu_Android and sign up to participate. At the time of writing the website had 76 issues and 29 pull requests.
The process of supporting the open-source development will be managed by National Informatics Centre (NIC) and all code suggestions will be processed through pull request reviews.
On opening the source to the developer community the government of India said that the move signifies their continuing commitment to the principles of transparency and collaboration.
“With the release of the source code in the public domain, we are looking to expanding collaboration and to leverage the expertise of top technical brains amongst the talented youth and citizens of our nation and to collectively build a robust and secure technology solution to help support the work of frontline health workers in fighting this pandemic,” the Aarogya Setu team noted.
The government has also announced that the iOS and KiOS version of the Aarogya Setu app will be released as open-source within the next two weeks and the server code will also be released subsequently. Stating the reason for releasing the code first for Android the government said nearly 98 per cent users of Aarogya Setu app use an Android phone.
Who will be eligible for rewards?
Not everyone will be eligible to get rewards. Notably, only those submissions that meet the following eligibility requirements may receive a reward:
1) The vulnerability must be a qualifying vulnerability so researchers must take a note of that.
2) Security Researcher may not publicly disclose the vulnerability prior to the resolution.
3) The Researcher reporting the vulnerability improvements should not be working for AarogyaSetu Project or its related activities or initiatives.
4) Employees (including their family members) of National Informatics Centre (NIC) and Ministry of Electronics & IT (MeitY) and its constituent organizations are not eligible.
About bug bounty programme
- To participate everyone, including researchers and users of Aarogya Setu app will need to find and report any vulnerability impacting the privacy and information security posture of the application.
- Any security or privacy related flaws discovered by the security researchers will then need to be notified to [email protected] with subject line “Security Vulnerability Report.
- “Doing so will be called ‘responsible disclosure’ and only such responsible disclosures shall be eligible for rewards.”
- For reporting improvements to the source code users or researchers or developers can also report to [email protected], with the subject line “Code Improvement”.
- The security researchers will need to document the findings thoroughly. Notably, reports with complete vulnerability details, including screenshots or video of POC, are essential for being eligible for the reward.
- The Aarogya Setu Team will contact the researchers to confirm that they have received their report.
For more details of the bug bounty programme head over to MyGov website.