UIDAI Launches Bug Bounty Programme to Further Strengthen Aadhaar Security
1. At a Glance
- UIDAI's first structured Bug Bounty Programme, launched 11 March 2026, invites vetted ethical hackers to discover vulnerabilities in core Aadhaar digital assets in exchange for severity-graded rewards [S1].
- Marks a shift from closed in-house security audits to a coordinated vulnerability disclosure (CVD) model — a global best practice now formalised for India's largest digital ID system [S1].
- UPSC relevance: intersects GS-II (governance, digital ID, privacy) and GS-III (cyber security, internal security via IT infrastructure).
2. Why in the News
- On 11 March 2026, the Unique Identification Authority of India (UIDAI) under the Ministry of Electronics & Information Technology (MeitY) launched its first structured Bug Bounty Programme with a 20-member panel of ethical hackers/researchers [S1].
- Programme is operated in partnership with M/s ComOlho IT Pvt. Ltd., a cybersecurity firm acting as the platform partner [S2].
3. Background & Evolution
- UIDAI established in Jan 2009 under Planning Commission; statutory body since Aadhaar Act, 2016 under MeitY.
- Predecessor government bug-bounty: Aarogya Setu Bug Bounty Programme announced in 2020 by MeitY/NIC — first government-of-India bug bounty [S3].
- UIDAI's prior security tie-ups: UIDAI–SETS (Society for Electronic Transactions and Security, Chennai) MoU in 2023 for R&D in quantum computing, IoT and cyber security [S4].
- 2025–26 challenges (deepfake/spoofing detection for face authentication) under PRID 2179959 preceded the bug bounty [S5].
4. Core Static Facts
- Parent ministry: Ministry of Electronics & Information Technology (MeitY) [S1].
- Implementing body: UIDAI (statutory authority under Section 11, Aadhaar Act 2016).
- Launch date: 11 March 2026 [S1].
- Participants: 20 selected security researchers/ethical hackers (closed panel, invite-based) [S1].
- Scope (in-scope assets): UIDAI official website, myAadhaar portal, Secure QR Code application [S1].
- Reward basis: Severity-tiered — Critical / High / Medium / Low [S2].
- Platform partner: M/s ComOlho IT Pvt. Ltd. [S2].
- Model: Responsible/coordinated vulnerability disclosure (RVD/CVD).
5. Multi-Dimensional Analysis
Scientific / Technological - Crowdsources offensive security testing — uncovers flaws in-house audits and CERT-In empanelled auditors may miss [S1][S6]. - Targets web, mobile and crypto-attestation (Secure QR Code) layers — covers full stack of resident-facing Aadhaar services [S1].
Legal / Constitutional - Operates within the Aadhaar Act 2016 (Section 28 — security & confidentiality of identity information) and Digital Personal Data Protection (DPDP) Act 2023 duties on data fiduciaries. - Reinforces compliance with Puttaswamy (2017) privacy judgment by hardening technical safeguards demanded as "reasonable security".
Governance / Ethical - Closed-panel model balances transparency vs. risk — limits exposure of critical national infrastructure while still tapping external expertise [S1]. - Aligns with CERT-In's Cyber Crisis Management Plan and the National Cyber Security Policy 2013 ecosystem [S6].
Administrative - Builds an institutional pipeline of vetted researchers UIDAI can re-engage; reduces reliance solely on empanelled auditors. - Tiered reward structure incentivises focus on high-impact bugs (auth bypass, data exposure) over cosmetic issues [S2].
6. Recent Developments (last 12-18 months)
- Mar 2026: Bug Bounty Programme launched [S1].
- Feb 2026: UIDAI Data Hackathon 2026 showcased data-driven governance solutions [S7].
- 2025: UIDAI Grand Challenge for deepfake/mask/spoofing attack detection in Aadhaar face authentication (applications till 15 Nov 2025) [S5].
- 2024: UIDAI partnered with Sarvam AI (indigenous GenAI) for Aadhaar service UX [S8].
7. Prelims Hooks
- UIDAI launched its first structured Bug Bounty Programme on 11 March 2026 [S1].
- Programme covers three assets: UIDAI website, myAadhaar portal, Secure QR Code application [S1].
- Panel size: 20 ethical hackers/researchers (invitation-based) [S1].
- Industry partner: ComOlho IT Pvt. Ltd. [S2].
- Reward tiers: Critical, High, Medium, Low (severity-based) [S2].
- UIDAI is a statutory body under the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016.
- Parent ministry: MeitY (NOT Ministry of Home Affairs, NOT Finance).
- India's first government bug bounty was for Aarogya Setu (2020) — not Aadhaar [S3].
- UIDAI signed cyber-security R&D MoU with SETS, Chennai [S4].
- CERT-In (under MeitY) is India's nodal cyber-incident response agency [S6].
- Puttaswamy v. Union of India (2017) made privacy a fundamental right (Art. 21).
- DPDP Act 2023 governs personal data processing in India.
8. Mains Relevance
- GS-II: e-Governance — applications, models, successes & limitations; citizens' charters; protection of vulnerable sections (digital ID).
- GS-III: Challenges to internal security through communication networks; basics of cyber security; role of agencies.
- Probable stems: 1. "Bug-bounty programmes mark a maturing of India's approach to securing critical digital public infrastructure. Discuss with reference to UIDAI's 2026 initiative." (GS-III, 250 words) 2. "Coordinated vulnerability disclosure must coexist with statutory liability under the Aadhaar Act and DPDP Act. Examine." (GS-II, 150 words) 3. "Trust in Aadhaar rests as much on perception as on technical safeguards. Evaluate UIDAI's recent measures." (GS-II)
9. Related Topics to Study Next
- Aadhaar Act 2016 & Puttaswamy judgment — statutory & constitutional base.
- DPDP Act 2023 — data fiduciary obligations relevant to UIDAI.
- CERT-In & CERT-In Directions of April 2022 — incident reporting regime [S6].
- Digital Public Infrastructure (DPI) / India Stack — Aadhaar as foundational layer.
- National Cyber Security Policy 2013 & upcoming National Cyber Security Strategy.
- Aarogya Setu Bug Bounty (2020) — first GoI precedent [S3].
- SETS, Chennai — DST-promoted cyber R&D body [S4].
- Face authentication / deepfake challenge by UIDAI [S5].
10. Common Errors / Trap Areas
- Wrong ministry: UIDAI is under MeitY, not Ministry of Home Affairs or Finance.
- "First Indian govt bug bounty" — that title belongs to Aarogya Setu (2020), not UIDAI [S3].
- Open vs. closed model: UIDAI's programme is closed/invite-only (20 researchers), not a public bug bounty like HackerOne open programmes [S1].
- Scope confusion: The programme covers front-end public assets (website, myAadhaar, QR app) — not the CIDR (Central Identities Data Repository) core [S1].
- Don't confuse UIDAI's bug bounty with CERT-In's RVDP (Responsible Vulnerability Disclosure Programme) — separate frameworks.
11. Sources
- [S1] UIDAI Launches Bug Bounty Programme to Further Strengthen Aadhaar Security (PIB, 11 Mar 2026) — https://www.pib.gov.in/PressReleasePage.aspx?PRID=2238233 — (tier 1)
- [S2] PIB Detail page (same release, additional reward/partner detail) — https://www.pib.gov.in/PressReleseDetailm.aspx?PRID=2238233 — (tier 1)
- [S3] Government announces Bug Bounty Programme for Aarogya Setu (PIB, 2020) — https://www.pib.gov.in/PressReleasePage.aspx?PRID=1627154 — (tier 1)
- [S4] UIDAI and SETS join hands for R&D in Quantum Computing, IoT Security and Cyber Security (PIB) — https://www.pib.gov.in/PressReleasePage.aspx?PRID=1910127 — (tier 1)
- [S5] UIDAI Seeks Solutions to Defeat Deepfakes/Spoofing in Face Authentication (PIB) — https://www.pib.gov.in/PressReleasePage.aspx?PRID=2179959 — (tier 1)
- [S6] CERT-In: India's Frontline Defender against Cyber Threats (PIB document, Jan 2026) — https://static.pib.gov.in/WriteReadData/specificdocs/documents/2026/jan/doc2026123764501.pdf — (tier 1)
- [S7] UIDAI Data Hackathon 2026 (PIB) — https://www.pib.gov.in/PressReleaseDetail.aspx?PRID=2259168 — (tier 1)
- [S8] UIDAI partners with Sarvam AI (PIB) — https://www.pib.gov.in/PressReleaseIframePage.aspx?PRID=2112485 — (tier 1)