UIDAI launches bug bounty programme to strengthen Aadhaar security

The Unique Identification Authority of India has launched a structured bug bounty programme aimed at improving the security of the Aadhaar ecosystem. UIDAI says the initiative will let selected cybersecurity experts look for weaknesses in key digital platforms and report them through a responsible disclosure process.

For the first phase, UIDAI selected a panel of 20 experienced security researchers and ethical hackers. The authority says these researchers will examine specific digital assets, including the official UIDAI website, the myAadhaar portal, and the Secure QR Code application.

UIDAI says the programme runs in partnership with ComOlho IT Private Limited. The goal is to uncover security gaps that routine internal checks or automated tools may miss, while ensuring that any valid findings reach UIDAI through secure reporting channels rather than public disclosure.

What the new UIDAI bug bounty covers

The official announcement says researchers can assess selected Aadhaar-related digital assets and their underlying APIs for possible weaknesses. UIDAI says valid findings will be reviewed and categorized by severity, including critical, high, medium, and low-risk issues.

That matters because bug bounty programmes often catch logic flaws and unusual exploit paths that standard scanning does not always detect well. This is an inference based on UIDAI’s statement that the programme aims to find weaknesses beyond what standard reviews may miss.

How rewards and disclosure will work

UIDAI says participating researchers will receive rewards if they find genuine vulnerabilities and report them responsibly. The amount will depend on the seriousness of the issue, which means higher-impact flaws should receive greater attention and faster remediation.

The authority also says the programme will follow strict responsible disclosure rules. That means researchers must submit vulnerabilities privately through approved channels instead of publishing them openly.

UIDAI says this adds to existing Aadhaar security controls

According to the PIB release, the bug bounty programme does not replace UIDAI’s existing security framework. Instead, it adds another layer to current protections, which already include regular security audits, vulnerability assessments, penetration testing, and continuous monitoring.

That point is important because the announcement frames the programme as an extra layer of defense, not a shift away from current controls. UIDAI presents it as part of a broader defense-in-depth approach for Aadhaar security.

UIDAI bug bounty at a glance

Why this move matters

Aadhaar supports digital identity services at national scale, so any security improvement has broad impact. By bringing in outside researchers under controlled conditions, UIDAI appears to be following a common security model used to find weaknesses before malicious actors can exploit them. This is an inference drawn from UIDAI’s stated goal of proactively identifying and remediating vulnerabilities.

The official announcement also suggests UIDAI wants more targeted, hands-on testing of exposed digital assets. That can help uncover weaknesses in real workflows, especially around portals, APIs, and application logic. This is also an inference based on the list of covered platforms and the stated purpose of the programme.

FAQ