UIDAI Bug Bounty Programme: 20 Ethical Hackers to Reportedly Detect, Fix Aadhaar Data Security Issues

These 20 hackers will be given access to the Central Identities Data Repository.

By Sourabh Kulesh | Updated: 20 July 2022 16:27 IST

UIDAI Bug Bounty Programme: 20 Ethical Hackers to Reportedly Detect, Fix Aadhaar Data Security Issues

CIDR stores Aadhaar data of 1.32 billion Indians

Highlights

Applicants should be listed in top 100 of bug bounty leaders
The hackers must sign a non-disclosure agreement
No information on remuneration for the exercise

The Unique Identification Authority of India (UIDAI) has reportedly called out for 20 hackers who will be tasked to detect and fix vulnerabilities in the security system that guards the Aadhaar data of Indian citizens as a part of “bug bounty programme”. A report says that these “ethical” hackers will be given access to the UIDAI's Central Identities Data Repository (CIDR) that stores the Aadhaar data of 1.32 billion Indians. There have been instances in the past where Aadhaar details of people were leaked on the internet.

As per a report by News 18, an order was issued by the UIDAI on July 13 and it mentions that the authority has decided to run the bug bounty programme on its systems. Under this programme, these 20 hackers will be given access to the UIDAI's Central Identities Data Repository (CIDR) that stores the Aadhaar data of 1.32 billion Indians. They will find loopholes in the Aadhaar data security system and help the authority fix them.

In order to be selected by UIDAI, the applicants “should be listed in top 100 of the bug bounty leaders board such as HackerOne, Bugcrowd, or listed in the Bounty Programs conducted by reputable companies such as Microsoft, Google, Facebook, or Apple etc.” As per the order, “...the candidate should be active in the bug bounty community or programs and should have submitted valid bugs or received bounty in the last one year.”

Aadhaar Infrastructure Flaws Detailed in CAG Report on UIDAI Functioning

Furthermore, the applicant is required to be an Indian resident and must have a valid Aadhaar number. The selected lot will also sign a non-disclosure agreement with UIDAI. If you are a current or former employee of UIDAI or one of its contracted technology support and audit organisations during the past seven years, you are not eligible for the work.

“In case more than 20 applications are received, then UIDAI reserves the right to evaluate and select top 20 suitable candidates…an independent committee shall be formulated to assess and verify the candidates' credentials, past bug hunting records or references and citations,” as per the order. There is no information available on whether or not these ethical hackers are paid remuneration for the exercise.

The development comes a month after it was reported that Aadhaar data of a large number of farmers was leaked by PM Kisan website, which is designed for the welfare of the agriculture sector in India. “The website provides an endpoint, which returns information about the beneficiary. This endpoint was also sending Aadhaar numbers,” Security researcher Atul Nair told Gadgets 360.

Indian Government Withdraws Advisory Against Sharing Photocopy of Aadhaar

In 2019, the Jharkhand government reportedly exposed the unique identification numbers of its thousands of workers. State-owned liquid petroleum gas (LPG) manufacturer Indane was also reported to have exposed Aadhaar details of millions of its consumers.

Is the Nothing Phone 1 worth it beyond its design choices? We discuss this on Orbital, the Gadgets 360 podcast. Orbital is available on Spotify, Gaana, JioSaavn, Google Podcasts, Apple Podcasts, Amazon Music and wherever you get your podcasts.

Affiliate links may be automatically generated - see our ethics statement for details.

Comments

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.