Private program for Cybermalveillance.gouv.fr set to go public sometime in April
Rewards for high risk and critical flaws found in a French government website that supports cyber-attack victims are set to double when its bug bounty program goes public over the coming weeks.
A private program for Cybermalveillance.gouv.fr, a cyber-support site that was launched in 2015, has been running on YesWeHack since mid-December, with a public program mooted to go live on the France-based bug bounty platform during April.
Rewards for the discovery of high risk and critical flaws could rise from €400 to about €800 and from €800 to around €1,600 respectively, the website’s information systems manager told The Daily Swig.
“It is crucial for us to ensure a high level of security”, said Nicolas Laurent, information systems manager for GIP ACYMA (Le Groupement d’Intérêt Public Action contre la Cybermalveillance), which was founded in 2017 to manage Cybermalveillance.gouv.fr and help French citizens, businesses, and local authorities mitigate security risks and handle the fallout of cyber-attacks.
He added that the program’s focus was on preventing the theft of personal data, redirection of contact requests, and malicious modification of the site’s tools.
Cybermalveillance.gouv.fr features a step-by-step tool for diagnosing and remediating security problems, and putting cyber-attack victims in touch with relevant local service providers.
In scope for the program are the website’s publicly accessible areas, user account areas of both service providers and support seekers, and a tool for encrypting, uploading, and sending suspicious files for inspection by security experts.
Laurent says GIP ACYMA’s current invite-only program, which has about 30 participating bug hunters, has so far yielded reports of 15 vulnerabilities from two white-box penetration tests, seven of which have been fixed.
On the decision to make the program public, he said: “We wanted to open our application to more hunters and be able to share directly with them on the forum.”
GIP ACYMA was one of four organizations to participate in a live hacking event hosted by YesWeHack at the end of January.
“It was very interesting to see them working on our application before going into production,” said Laurent of the event, which was held at the 2020 Forum International de la Cybersécurité (FIC) in Lille, France.
“We talked about areas for improvement and corrected a new vulnerability.”
Paris-based YesWeHack was founded in 2013 to give organizations a “European alternative” to US bug bounty platforms like HackerOne and Bugcrowd, the company’s Rodolphe Harand told The Daily Swig last October.
YOU MIGHT ALSO LIKE Meet the bug bounty platform putting community into crowdsourced security