National Informatics Center and my experience as a bug bounty hunter

National Informatics Center (NIC) has set up nationwide ICT infrastructure for Central Government, State Government, Union Territory Administration, and other government bodies including the districts. Their services range from creating and maintaining government websites to maintaining and setting up data centers and the cloud system to name a few. All these services play an important role in delivering citizen-centric services.

As NIC has the responsibility to maintain such vast technological infrastructure, the possibility of bugs and vulnerabilities being present in the system also increases.
NIC has recognized this possibility and created a Responsible Vulnerability Disclosure Program so that bugs and vulnerabilities can be quashed and fixed and the confidential information remains confidential.

When I learned about this program I was elated to find bugs and submit reports because just like any other citizen I too want freedom and along with that privacy while browsing the internet.
But after submitting a couple of reports and getting acknowledgment from the NIC team in 2-3 business days, I believed that they would fix the bugs and vulnerabilities in a month or max to max in two months time, but even after 4 months time, I observed that they failed to fix those vulnerabilities. As a cybersecurity researcher, this did not only personally demoralize me from finding bugs but also made me question the effectiveness of the NIC team in safeguarding our information and if India is prepared to ward off any mass cyberattacks.

This first-hand experience has also instilled a fear inside me and now I am hesitant in uploading any type of data or document on any government portal or website because I always assumed that the information which I am providing to the Government will be stored with maximum security and they would be prioritizing national security the most.

I would love to know from this community if they have experienced anything similar and to gain insights as to how we can solve this problem.

P.S: I am new to the community and this is my first post and I am still learning how this forum works so please forgive me if I made any mistake while writing this post. Thank you :smiley:

4 Likes

Thank you for sharing this Karan! I really enjoyed reading this. It reminded me of a podcast on cyber-sec recently reccomended to me by @Shivani

2 Likes

Hey @kooluser, welcome to the IFF Forum! I recently went down a cyber sec rabbit hole after I started listening to a podcast called Darknet Diaries.

Here are my top 3 recommendations, I think you’ll enjoy the show! :slight_smile:

2 Likes

Thank you @Shivani for sharing these podcasts. They were very informative, scary, and at the same time amazed me as to how creepy technology can be.
These podcasts are a slap on the face to all those who believe that digital privacy is not an important or a concerning issue.

2 Likes

I’ve personally had this experience as well. I find it best to get their attention via official social media handles so you might wanna try that. Also tagging local police, IT cell and CERT-IN team along with notable professionals in the given area of expertise always helps.

Also, Do you mind sharing links to the disclosure policy for NIC?

1 Like

I just go to this website https://nciipc.gov.in/RVDP.html and fill the PDF available and after filling this PDF form I email it to [email protected]

Thank you for the suggestion, next time I will for sure use social media to grab their attention :smiley:

2 Likes