Indian Government Announced Bug Bounty for Aadhar
Unique Identification Authority of India (UIDAI) has announced a Bug Bounty program for Aadhar to find out any vulnerabilities in its system.
There has for long been a demand for such an exercise as multiple claims have been made regarding loopholes in the security of Aadhaar data. Calling ethical hackers is one of the great steps from the Indian Government.
The notification released by the Government of India regarding the Aadhar Bug Bounty program read -
Aadhaar is the world’s largest digital identity program that provides for good governance, and efficient, transparent, and targeted delivery of subsidies, benefits, and services to over 1.32 billion Indian residents. UIDAI consistently undertakes strategic security initiatives to strengthen its foundational security infrastructure for secure and safe delivery of Aadhaar services. In its endeavour to secure Aadhaar data hosted in UIDAI’s Central Identities Data Repository (CIDR), UIDAI intends to conduct a ‘Bug Bounty’ program along with responsible disclosure of vulnerabilities.
UIDAI is the first government agency to conduct such a program. It is not clear from the order if the ethical hackers will be paid for the exercise. But they will be registered or empanelled before being brought on board. In order to conduct the ‘Bug Bounty’ program, UIDAI has made the following terms and conditions for participating in the Aadhar Bug Bounty program -
|S.No.||Empanelment / Registration Criteria|
|a)||Candidate should be either an individual or a group of individuals not representing /aligned to any organization and should participate in his/her own individual capacity /group. The individual/group of individuals should be Indian Residents having a valid aadhaar number. The candidate is responsible for reviewing his/her/their employer's rules for participating in the Program and should be free from any conflict of interest with UIDAI.|
|b)||The Candidate(s) must not be a current or former employee of UIDAI or one of its contracted technology support and audit organizations during past 7 years.|
|c)||The Candidate should be listed in top 100 of the bug bounty leaders board such as HackerOne, Bugcrowd or listed in the Bounty Programs conducted by reputable companies such as Microsoft, Google, Facebook, Apple etc. or the candidate should be active in the bug bounty community/programs and should have submitted valid bugs or received bounty in last one year.|
From the above Empanelment / Registration Criteria it is clear that UIDAI will examine the candidate's last one-year stats of HackerOne, Bugcrowd, etc reputation and ranks for enrollment into the programs.
What is Aadhar?
Aadhaar is a 12-digit individual identification number issued by the Unique Identification Authority of India on behalf of the Government of India. The number serves as proof of identity and address, anywhere in India.
Any individual, irrespective of age and gender, who is a resident in India and satisfies the verification process laid down by the UIDAI can enroll for Aadhaar. Individuals need to enroll only once but in case of multiple enrolments, the Aadhaar is generated against one of the enrolment ID’s while others are rejected as duplicates. Aadhaar Enrolment is free of cost for all the residents of India.
The aadhaar number is unique for each individual and will remain valid for a lifetime. The aadhaar number will help the residents to avail of various services provided by banking, mobile phone connections, and other Govt and Non-Govt services in due course.
Some other information about Aadhaar are:
- Online verification of demographic information in a cost-effective way
- Unique and robust enough to eliminate a large number of duplicate and fake identities in government and private databases
- A random number is generated, devoid of any classification based on caste, creed, religion, and geography
Registration for Aadhar BugBounty Program
- Participation in the ‘Bug Bounty’ Program will be limited to 20 candidates (individual/group of individuals).
- In case more than 20 applications for registration are received, then UIDAI will only select the top 20 suitable candidates for participation in the ‘Bug Bounty’ Program.
- There will an independent committee shall be formulated by UIDAI to assess and verify the candidates' credentials, past bug hunting records/references, citations, etc.
- Participants need to sign a Non-disclosure Agreement (NDA) with UIDAI and abide by the instructions of UIDAI.
- In case any candidate withdraws from the participation in the ‘Bug Bounty’ program post successful
- registration, then UIDAI will allow any other candidate to replace the withdrawing candidate.