UIDAI has called for empanelment of 20 top white hat hackers to expose any vulnerabilities in its Central Identities Data Repository
In its endeavour to secure Aadhaar data hosted in UIDAI’s CIDR, the UIDAI intends to conduct a ‘Bug Bounty’ program along with responsible disclosure of vulnerabilities, a circular said
The selected candidates will sign non-disclosure agreements with the UIDAI to avoid any breach of sensitive information acquired during the process
The Unique Identification Authority of India (UIDAI) has announced a ‘Bug Bounty’ programme to figure out vulnerabilities in Aadhaar’s data security system.
In a circular, the government arm called for empanelment of 20 top white hat hackers to expose any vulnerabilities in its Central Identities Data Repository (CIDR).
“In its endeavour to secure Aadhaar data hosted in UIDAI’s CIDR, UIDAI intends to conduct a ‘Bug Bounty’ program along with responsible disclosure of vulnerabilities,” the circular said.
Such initiatives are common and large multinational companies offer monetary compensation in lieu of hackers exposing any vulnerabilities in a system. These initiatives enable companies to plug any loopholes before a negative actor exploits the bug to exploit the weakness.
The circular, which was issued on July 13, did not mention any financial remuneration in lieu of the services.
Elaborating on the eligibility criteria, the UIDAI said that the candidates listed among the top 100 bug bounty leaders on websites such as HackerOne and Bugcrowd would be allowed to participate in the event. Additionally, candidates listed in the bounty programmes conducted by companies such as Microsoft, Google, Facebook and Apple can also participate in the event.
Apart from that, applicants who have submitted valid bugs or received bounty in the last one year will also be eligible to participate in the initiative.
The UIDAI has capped the number of participants at 20 to report on the vulnerabilities plaguing the system. The body will form a panel to evaluate the applicants and verify the candidate credentials, and select the candidates accordingly.
The selected candidates will sign non-disclosure agreements with the UIDAI to avoid any breach of sensitive information acquired during the process.
The UIDAI has, however, barred current and former employees of the agency from participating in the programme. Employees who have worked via contracted technology support and audit organisations hired by the UIDAI in the last 7 years will also be not eligible to participate in the event.
The candidates have also been told to participate in individual capacity, and they should not be aligned to any organisation.
Aadhaar is the world’s largest digital identity program that is host to personal and biometric data related to more than 1.32 Bn Indians. Under this, a 12-digit unique identity number is assigned to a citizen under which all data related to the person is stored.
As such, Aadhaar is a major resource for hackers looking to leak personal information. A vulnerable system could be exploited by hackers to access data and exploit vulnerabilities.
Previously, the government had told the Supreme Court that Aadhaar data is protected by a 2048 bit encryption and it would take ‘more than the age of the universe for the fastest computer on earth, or any supercomputer, to break one key of Aadhaar encryption’.
In a faux pas of sorts, hackers have previously proved many of these claims hollow. In 2018, the then Telecom Regulatory Authority of India (TRAI) chairman RS Sharma had shared his Aadhaar card number online and had issued a challenge to hackers to prove that it could be misused.
Hours later, Sharma’s personal details such as PAN number and alternative phone number were put out on public domain by hackers putting the spotlight on safety of data.
