UIDAI Bug Bounty Programme: 20 Ethical Hackers to Reportedly Detect, Fix Aadhaar Data Security Issues

The Unique Identification Authority of India (UIDAI) has reportedly called out for 20 hackers who will be tasked to detect and fix vulnerabilities in the security system that guards the Aadhaar data of Indian citizens as a part of “bug bounty programme”. A report says that these “ethical” hackers will be given access to the UIDAI's Central Identities Data Repository (CIDR) that stores the Aadhaar data of 1.32 billion Indians. There have been instances in the past where Aadhaar details of people were leaked on the internet.

As per a report by News 18, an order was issued by the UIDAI on July 13 and it mentions that the authority has decided to run the bug bounty programme on its systems. Under this programme, these 20 hackers will be given access to the UIDAI's Central Identities Data Repository (CIDR) that stores the Aadhaar data of 1.32 billion Indians. They will find loopholes in the Aadhaar data security system and help the authority fix them.

In order to be selected by UIDAI, the applicants “should be listed in top 100 of the bug bounty leaders board such as HackerOne, Bugcrowd, or listed in the Bounty Programs conducted by reputable companies such as Microsoft, Google, Facebook, or Apple etc.” As per the order, “...the candidate should be active in the bug bounty community or programs and should have submitted valid bugs or received bounty in the last one year.”

Furthermore, the applicant is required to be an Indian resident and must have a valid Aadhaar number. The selected lot will also sign a non-disclosure agreement with UIDAI. If you are a current or former employee of UIDAI or one of its contracted technology support and audit organisations during the past seven years, you are not eligible for the work.

“In case more than 20 applications are received, then UIDAI reserves the right to evaluate and select top 20 suitable candidates…an independent committee shall be formulated to assess and verify the candidates' credentials, past bug hunting records or references and citations,” as per the order. There is no information available on whether or not these ethical hackers are paid remuneration for the exercise.

The development comes a month after it was reported that Aadhaar data of a large number of farmers was leaked by PM Kisan website, which is designed for the welfare of the agriculture sector in India. “The website provides an endpoint, which returns information about the beneficiary. This endpoint was also sending Aadhaar numbers,” Security researcher Atul Nair told Gadgets 360.

In 2019, the Jharkhand government reportedly exposed the unique identification numbers of its thousands of workers. State-owned liquid petroleum gas (LPG) manufacturer Indane was also reported to have exposed Aadhaar details of millions of its consumers.