Govt open sources Aarogya Setu, announces bounty for finding security flaws

Launches bug bounty plan to test its security effectiveness

The central government on Tuesday said it was open-sourcing the code of its Covid-19 contact-tracing app Aarogya Setu.

The source code for the Android version of the application will be available for review and collaboration on open source code repository Github. The iOS version of the application will be released as open source within the next two weeks and the server code will be released subsequently. 

Almost 98 per cent of Aarogya Setu users are on Android platform. The app had over 114 million users as of Tuesday, maintaining its status as the most downloaded contact-tracing app in the world. 

Open-sourcing an app means people can look at the code and suggest improvements or issues, and also use the code under a licence to develop similar products. India has an open source policy in place since 2015. 

The source code of any government application, according to the policy, shall be available for the community/adopter/ end-user to study and modify the software and to redistribute copies of either the original or modified software, and would be “free from royalty”.

 

 

Welcoming the move, Mishi Choudhary, technology lawyer and founder of legal services firm Software Freedom Law Centre, said: “The Government of India has an amazing policy on adoption of open source software that encourages formal adoption and use of open source software in government organisations.

Aarogya Setu should always have been open source, right from the start, and everything developed by the government should always be open source as that’s taxpayers’ money. We will be verifying that all code is open source and global best practices are followed... Work to ensure that the app doesn’t mutate into any other vehicle that plays with sensitive information of such a large population should continue.”

The government has also reached out to the developer community to help identify any vulnerabilities or code improvement in order to make the app more robust and secure.

“Towards this objective, the government has also launched a Bug Bounty Programme with a goal to partner security researchers and developer community to test the security effectiveness of the app, and also to improve or enhance its security and build user’s trust,” said the Ministry of Electronics and Information Technology.