A ‘Bug Bounty’ program, in order to figure out vulnerabilities in Aadhaar’s data security system, has been announced by Unique Identification Authority of India (UIDAI).
In the circular launched by the government, it is seeking the 20 top white hat hackers to expose any vulnerabilities in its Central Identities Data Repository (CIDR).
The circular read “In its endeavor to secure Aadhaar data hosted in UIDAI’s CIDR, UIDAI intends to conduct a ‘Bug Bounty’ program along with responsible disclosure of vulnerabilities”.
Why Such An Initiative?
It is not the very first time that white hat hackers are called upon to expose any vulnerabilities in a system. Previously we have seen such initiatives being undertaken by large multinational companies. These hackers are offered monetary compensation to find out such inconsistencies.
But why does one want an outsider to attack and rummage their system. The answer lies in “damage control”. Its better to be aware of any loopholes before a negative actor exploits the bug
Though the circular launched by the government does not mention any financial remuneration in lieu of the services.
When it comes to the eligibility as to who all are invited, the UIDAI said that the candidates listed among the top 100 bug bounty leaders on websites such as HackerOne and Bugcrowd would be allowed to participate in the event. Additionally, candidates listed in the bounty programmes conducted by companies such as Microsoft, Google, Facebook and Apple can also participate in the event.
Apart from the aforementioned, those who have already submitted valid bugs or received bounty in the last one year will also be eligible to participate in the initiative.
When it comes to reporting the vulnerabilities plaguing the system, the number of participants have been capped at 20 by UIDAI. A panel will be formed by the body and the applicants to the program will be vetted and selected accordingly.
To avoid any breach of sensitive information acquired during the process, the selected candidates will be called upon to sign non-disclosure agreements with the UIDAI.
The current and former employees of the agency have been barred to participate in the same. Those who have worked via contracted technology support and audit organizations hired by the UIDAI in the last 7 years will also be not eligible to participate in the event.
All those who intend to participate in the event have been asked to participate in individual capacity, and not to be aligned with any organization.
What is Aadhar & Why Is It Important?
Aadhaar is a 12-digit unique identity number assigned to a citizen which stores the personal and biometric data. It is world’s largest digital identity program as it is related to more than 1.32 Bn Indians.
Now, for those who are looking to leak personal information, then Aadhaar is a major resource and if the UIDAI system is vulnerable, then the data of crores of Indians shall be compromised and exploited.
The Aadhaar data is protected by a 2048-bit encryption, is what the government told Supreme Court. The 2048-bit encryption means that it will take ‘more than the age of the universe for the fastest computer on earth, or any supercomputer, to break one key of Aadhaar encryption’.
Fortunately, or unfortunately, to prove the impregnability of the encryption, the Telecom Regulatory Authority of India (TRAI) chairman RS Sharm put out his Aadhaar card number online and challenged hackers to fetch his details.
Only few hours later, his personal details were put on by hackers in public domain.