Current Affairs Topics Archive
International Relations Economics Polity & Governance Environment & Ecology Science & Technology Internal Security Geography Social Issues Art & Culture Modern History

UIDAI Launches Bug Bounty Programme to Further Strengthen Aadhaar Security

March 11, 2026 4 min read Science & Technology Polity & Governance GS3 (Technology & Cybersecurity) GS2 (Governance)
On This Page

What Happened

  • The Unique Identification Authority of India (UIDAI) has launched its first structured Bug Bounty Programme to strengthen Aadhaar system security
  • Twenty vetted cybersecurity researchers and ethical hackers have been selected to probe for vulnerabilities in the UIDAI website, the myAadhaar portal, and the Secure QR Code application
  • Vulnerabilities are classified from Critical to Low risk levels, with rewards scaled to severity
  • The programme is administered in partnership with ComOlho IT Private Limited, a cybersecurity firm
  • This supplements UIDAI's existing security infrastructure of regular audits, vulnerability assessments, penetration testing, and continuous monitoring

Static Topic Bridges

The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 provides the statutory basis for UIDAI and the Aadhaar system. UIDAI is a statutory authority established under Section 11 of the Act. The Act mandates the collection, storage, and use of biometric and demographic data for issuing a unique 12-digit identity number to every resident of India.

  • Section 7: Central and state governments may require Aadhaar for delivery of subsidies and benefits funded from the Consolidated Fund of India; alternatives must be provided to those without Aadhaar
  • Section 30: Biometric information is classified as "sensitive personal data or information" — it cannot be shared with anyone for any reason, and must not be used for purposes other than Aadhaar number generation and authentication
  • Core biometric information (fingerprints, iris) cannot be disclosed even on a court order below a District Judge level
  • The 2019 amendment to the Aadhaar Act permitted voluntary use of Aadhaar by private entities and introduced offline verification (Aadhaar XML, QR Code)

Connection to this news: The Bug Bounty Programme directly protects the systems governed by the Aadhaar Act, particularly the platforms through which authentication and verification of biometric data occur — ensuring that the Act's data protection guarantees remain technically enforceable.

Justice K.S. Puttaswamy v. Union of India — Right to Privacy and Aadhaar

The Supreme Court in Justice K.S. Puttaswamy v. Union of India (2017) unanimously declared the right to privacy a fundamental right under Article 21. A five-judge bench subsequently upheld Aadhaar (as modified) in 2018, striking down provisions that allowed private companies to use Aadhaar for authentication and certain provisions permitting metadata sharing. The Court held that Aadhaar's core architecture passes constitutional muster when limited to state welfare delivery.

  • Puttaswamy (2017) — nine-judge bench; right to privacy as part of Article 21 (right to life and personal liberty)
  • Puttaswamy (2018) — five-judge bench upheld Aadhaar Act with modifications; Section 57 (private use) struck down
  • The Digital Personal Data Protection Act, 2023 (DPDPA) — enacted 11 August 2023; implementing rules notified November 2025 — now governs personal data processing including Aadhaar-related data flows
  • DPDPA provides for Data Fiduciaries, Data Principals, consent requirements, and Data Protection Board

Connection to this news: The Bug Bounty Programme is a practical measure to uphold the constitutional privacy guarantees affirmed in the Puttaswamy judgments — ensuring that Aadhaar's security posture matches its legal obligations under both the Aadhaar Act and the DPDPA.

Bug Bounty Programmes — Cybersecurity Governance Framework

A bug bounty programme is a structured initiative where organisations invite ethical security researchers (white-hat hackers) to identify and responsibly disclose vulnerabilities in exchange for rewards. It is a globally accepted best practice in cybersecurity, used by major technology companies and governments. India's National Cyber Security Policy (2013) and the National Cyber Security Strategy (2020) emphasise proactive vulnerability disclosure as part of critical information infrastructure protection.

  • Critical Information Infrastructure (CII) — defined under the IT Act, 2000 (Section 70); UIDAI's systems qualify as CII
  • National Critical Information Infrastructure Protection Centre (NCIIPC) — established under Section 70A of the IT Act, 2000; protects CII
  • Indian Computer Emergency Response Team (CERT-In) — nodal agency for cybersecurity incidents; operates under the IT Act, 2000
  • Responsible disclosure / Coordinated Vulnerability Disclosure (CVD) — the international framework that bug bounty programmes operationalise

Connection to this news: UIDAI's bug bounty programme represents a shift from reactive to proactive cybersecurity governance for a system that stores biometric data of over 1.3 billion residents, aligning with India's national cybersecurity framework obligations for CII protection.

Key Facts & Data

  • UIDAI established: under Aadhaar Act, 2016 (Section 11); earlier by executive order in 2009
  • Aadhaar enrollments: over 1.3 billion as of 2024
  • Bug Bounty Programme: 20 vetted researchers; scope — UIDAI website, myAadhaar portal, Secure QR Code app
  • Aadhaar Act, Section 30: biometric data classified as "sensitive personal data or information"
  • DPDPA, 2023 enacted: 11 August 2023; rules notified: November 2025
  • CERT-In operates under IT Act, 2000; NCIIPC under Section 70A of IT Act, 2000