ghuntley
commented
4 years ago Confirming that you really should speak with Jim. It's gonna look super bad on the 19th if you haven't engaged and worked on a mitigation.
https://docs.google.com/document/d/17sVyBIG5CqhF9XtuEfeG2MfYsFNXuV4yxp3BERDTJoI/edit?usp=drivesdk
jimmo
This CVE has been found in several other Bluetooth-based contact tracing apps (notably Australia's COVIDSafe, Singapore's OpenTrace, and Alberta's ABTraceTogether). We believe that Aarogya Setu may also be vulnerable.
It has been assigned a severity of 9.8 Critical. It primarily affects Android but should also be addressed on iPhone.
Some more information is available at https://github.com/alwentiu/COVIDSafe-CVE-2020-12856 however the full details are not currently public and are under embargo until June 19. However we have emailed as-bugbounty@nic.in with the full details. Please contact us if you have any further questions.
CC @alwentiu