UIDAI calls for 20 top ethical hackers to understand vulnerabilities in Aadhaar data security

The Unique Identification Authority of India (UIDAI) has called out for 20 top hackers to figure out any vulnerabilities in its security system that guards the Aadhaar data of 1.32 billion Indians, and has called it a “bug bounty programme”.

There has for long been a demand for such an exercise as multiple claims have been made regarding loopholes in the security of Aadhaar data. Ethical hackers do this for leading organisations globally. News18 has accessed an order issued by the UIDAI on 13 July, saying it has decided to run the bug bounty programme on its systems.

20 individual hackers or groups would be given a chance to study the UIDAI’s Central Identities Data Repository (CIDR) that stores the Aadhaar data of 1.32 billion Indians, the world’s largest digital database of people. “The selected candidate should be listed in top 100 of the bug bounty leaders board such as HackerOne, Bugcrowd or listed in the Bounty Programs conducted by reputable companies such as Microsoft, Google, Facebook, or Apple etc.,” the order says.

“Or the candidate should be active in the bug bounty community or programs and should have submitted valid bugs or received bounty in the last one year,” the order adds. They will need to sign a non-disclosure agreement with UIDAI and abide by its instructions. UIDAI has, interestingly, also said that the 20 hackers selected for the programme “must have a valid Aadhaar number and be Indian residents”.

UIDAI will perhaps be the first government agency to conduct such a programme. It is not clear from the order if the ethical hackers will be paid for the exercise. But they will be registered or empanelled before being brought on board.

UIDAI says its endeavour is to secure Aadhaar data hosted in the CIDR, “along with responsible disclosure of vulnerabilities”. No candidate can be a current or former employee of UIDAI or one of its contracted technology support and audit organisations during the past seven years.

“In case more than 20 applications are received, then UIDAI reserves the right to evaluate and select top 20 suitable candidates…an independent committee shall be formulated to assess and verify the candidates’ credentials, past bug hunting records or references and citations,” the order says.

UIDAI has also said that the candidate should be either an individual or a group of individuals not representing or aligned to any organisation and should participate in his or her own individual capacity. “UIDAI consistently undertakes strategic security initiatives to strengthen its foundational security infrastructure for secure and safe delivery of Aadhaar services,” the order issued on 13 July stressed.