YesWeHack will pay up to $2,240 per flaw in app developers built pro bono
The private bug bounty program for France’s official Covid-19 contact-tracing app went public on Tuesday (June 2) to coincide with the app’s arrival on Google Play and Apple’s App Store.
The more than 15,000 ethical hackers across 120 plus countries who use the YesWehack platform can now probe the StopCovid app for security vulnerabilities.
“With this second step, the StopCovid project team underlines the crucial role of crowdsourced security for data protection in the fight against COVID-19 – and how [a] bug bounty can help build trust and transparency,” the European bug bounty platform said.
The French government is the first in Europe to subject its coronavirus contact-tracing app to the scrutiny of crowdsourced security research.
Outside of Europe, India has also launched a bug bounty program for its own Covid-19 app, which was recently released as an open source app.
A critical flaw found in StopCovid will earn bug bounty hunters up to €2,000 ($2,240), while a high severity vulnerability will net them a maximum of €750 ($840), the StopCovid bug bounty page on YesWeHack explains.
‘Low’ or ‘medium’ severity bugs earn researchers a ‘special edition T-shirt’ but no monetary award.
With a consortium of researchers and private companies developing the open source app without payment since April 26, YesWeHack has agreed to fund the bounties.
Bug hunters can work collaboratively under the terms of the program, sharing their report and any rewards as a collective group with up to five other hunters.
Vulnerabilities affecting StopCovid’s hosting provider, Outscale, can be reported to its own bug bounty program.
During the week-long private program, which began on May 27, some 35 handpicked ethical hackers alerted the StopCovid project team to seven in-scope or “general interest” flaws.
Reported on a Gitlab bug tracker, five were rated as minor to moderate security vulnerabilities, with the remaining two functional issues.
Software updates rectifying the flaws are in development.
StopCovid was launched just as France commenced phase two of its easing of the country-wide lockdown.
Eschewing Apple and Google’s decentralized contact-tracing API, the StopCovid project uses the ROBERT protocol, which processes data on a centralized server instead of within the smartphone.
A group of 471 French cryptography and security researchers signed a letter at the end of April urging the government to mitigate the privacy and data protection risks surrounding the project.
France’s National Agency for Information Systems Security has issued recommendations (PDF) for ensuring that the project is secure and protects users’ privacy.
More than 70 countries around the world are developing, considering developing, or have released a contact-tracing app to curb the spread of Covid-19.
YesWeHack also operates bug bounty programs on behalf of the French Ministry of Defense, the Direction interministérielle du numérique (France’s digital transformation agency), and Cybermalveillance.gouv.fr, a government website that supports cyber-attack victims.