Although security researchers contend that a bug bounty for Aadhaar is necessary with frequent reports of Aadhaar data leaks, the eligibility criteria and structure of the program has raised quite a few eyebrows.
Over a week back, the Unique Identification Authority of India issued a circular inviting applications from candidates to take part in its first ever bug bounty program.
The circular said that the program will be limited to 20 empanelled/ registered candidates. “The UIDAI reserves the right to evaluate and select top 20 suitable candidates for participation in the program,” it added.
Read More: 5 advantages of filing ITRs on time: Here’s why you should submit income tax return before deadline
“I don’t know how they came up with the number of 20 people, it should be open to everyone,” Nandakishore Harikumar, CEO and founder of Technisanct told Moneycontrol.
“Every security researcher should be able to go and identify a vulnerability and be able to report it. Bug bounty programs don’t limit people. There is no ranking of hackers. Every professional is good in their own sphere,” he said.
The cyber security researcher pointed out that there are many professionals who are not part of bug bounty programs but are equally capable of solving problems.
Security researcher Karan Saini who had earlier reported ‘vulnerabilities’ in Aadhaar, criticised the Non disclosure Agreement requirement in the program
“Since one has to be ‘chosen’ to be part of this program, this is essentially freelance ‘pentesting’. Most publicly announced bug bounty programs do not require NDAs. This is not the bug bounty we asked for in essence,” Saini said.
Read More: PM Kisan Yojana: Hurry up! Few days left to complete eKYC; Check online process
A penetration test, also known as a pentest, is a simulated cyber attack on your computer system to check for exploitable vulnerabilities.
Saini, as his work as a security researcher has taken up bug bounty programs for the the US Department of Defence, and he points out that, even there, he was not bound by NDAs.
In 2018, he found a security vulnerability on a system run by a state-owned utility company that allowed anyone to download sensitive Aadhaar information. However, UIDAI had then dismissed his findings, Karan said.
Harikumar maintains that the bug bounty program should have been done years ago. “Till now, they were defending it saying Aadhaar will never get leaked and it is secure. We have seen in multiple cases where Aadhaar has been exposed, even compliance measures were not properly maintained,” he said.
After the floating of the circular on July 13, Moneycontrol learnt that several India-based bug bounty program leaders are still filing their applications in the hope of getting selected.
But, who or how they will get selected, remains to be seen.
