As per the rules of the bug bounty programme shared on the MyGov.in website, only these three categories of vulnerabilities shall be eligible for a reward:
-By exploiting the vulnerability, one should be able to access an individual’s Aarogya Setu data on an Android phone, or remotely submit a self-assessment through the phone.
-By exploiting the vulnerability, one should be able to access other people’s data from an individual’s app or phone — other than their own Aarogya Setu data and other than Digital ID (DiD) data broadcast by bluetooth in the vicinity of the phone.
-The vulnerability should be able to compromise Aarogya Setu servers or hack the servers such that the servers become buggy, crash or expose any personal data other than the user’s own data or services already provided by the existing APIs.
