In a major move by the government to bring transparency to the functioning of India’s Covid-19 contact tracing application Aarogya Setu, the ministry of electronics and information technology on Tuesday released the source code for the Android version of the app.
Additionally, policy think tank NITI Aayog also announced a bug bounty programme for developers to find and solve security issues in the application.
The bug bounty will be hosted by citizen engagement platform MyGov. Participants will receive Rs 1 lakh for finding vulnerabilities along with an additional code improvement reward of Rs 1 lakh.
The source code for the Android version is now available on software development platform GitHub.
Aarogya Setu, since its launch 41 days ago, has had over 11.4 crore downloads. Two-third users have taken self-assessments to evaluate their risk of exposure to Covid-19. Close to 98% of users run the Android version of the application.
According to the government, the application has helped identify close to 500,000 Bluetooth contacts The people were contacted by the National Health Authority to quarantine or get tested for Covid-19. Out of those identified, 24% have been found to be Covid-19 positive.
The source code for the iOS and KaiOS versions are expected to be made public in two weeks.
“Opening the source code to the developer community is a positive step towards instilling the principles of transparency and collaboration in e-governance,” Kazim Rizvi founder of the Dialogue, a policy think tank, said in a statement.
However, Mozilla, the not-for-profit behind the open-sourced web browser Mozilla Firefox, said that there were still some significant steps that were needed before the app’s infrastructure can be truly called open source.
“This includes open sourcing the server-side code and ensuring that the app is built exclusively from its public repository,” Udbhav Tiwari, Public Policy Advisor, Mozilla said in a separate statement.
Tiwari added that Indians are still awaiting a compressive data protection law that would provide security from inherent privacy risks of exposure notification technology.