The Interministerial Digital Directorate (DINUM), responsible for digital transformation across the French government, has announced updates to its Bug Bounty programs for Tchap, the secure instant messaging service for public administration, as well as FranceConnect, FranceConnect+, and ProConnect, the unified authentication system for public services and officials in France.
Operated in partnership with YesWeHack, these programs aim to enhance the security of these services by encouraging ethical hackers to report any vulnerabilities they discover.
Rise in rewards
As part of its information systems security (ISS) policy, the French government has implemented enhanced measures to address growing digital threats. This policy is accompanied by a significant increase in bounties offered by the Bug Bounty programs for Tchap, FranceConnect, FranceConnect+ and ProConnect, to encourage the rapid detection and remediation of vulnerabilities. By increasing the rewards, the goal is also to foster even greater participation from the ethical hacking community, working in the public interest.
The maximum reward for critical vulnerabilities has been raised to €20,000 for Tchap (previously €8,000) and to €30,000 for FranceConnect, FranceConnect+, and ProConnect (previously €20,000). The detection efforts focus primarily on vulnerabilities related to data exfiltration and identity theft.
The rules of the Bug Bounty Programs require that participants be the first to report a vulnerability in order to be eligible for bounties, as well as to provide a workable solution, refrain from causing harm to systems, respect data confidentiality, and be entirely independent from the project. Each vulnerability will be rewarded only once: the first hacker to report it will receive the associated bounty.
To participate in the Bug Bounty Program for FranceConnect, FranceConnect+, and ProConnect, ethical hackers must register here, and for the Tchap program, they must register here. Registration on the YesWeHack platform is mandatory. Once their profile is verified, they can then report identified security vulnerabilities by following the instructions provided on the platform.
For the French government, these programs offer the advantage of identifying vulnerabilities before they cause harm, strengthening its defence posture by emulating methods used by attackers, and fostering a collaborative and transparent approach through the availability of source code to participating ethical hackers. The Tchap program has been in place since 2019 and the FranceConnect program was launched in 2021.
Check out the public Bug Bounty Programs for Tchap and FranceConnect/FranceConnect+/ProConnect for further details on rules, rewards and scopes.
About YesWeHack
YesWeHack is a global Bug Bounty and vulnerability management platform that connects organisations with tens of thousands of cybersecurity researchers worldwide. Their goal is to uncover potential vulnerabilities in websites, mobile applications, connected devices, and digital infrastructures, enabling organisations to fix them before malicious actors can exploit them.
About the Interministerial Digital Directorate (DINUM)
A service under the authority of the Prime Minister of France, the Interministerial Digital Directorate (DINUM) is responsible for defining and implementing the French government’s digital strategy. It also serves as the Chief Data Officer and HR director for digital professions within the government. As the leading entity for public sector digital transformation, its mission is to make the government more efficient, more accessible and more sovereign through digital technology, collaborating with ministerial digital departments and its partners.
DINUM also operates under the Ministry of Public Service, Administrative Simplification and Public Sector Transformation and works closely with the State Secretariat for Artificial Intelligence and Digital Affairs. For more information: numerique.gouv.fr
This blog article is a translation of a press release first published in French by DINUM on its website. You can read it here: https://www.numerique.gouv.fr/espace-presse/bug-bounty-les-hackers-ethiques-invites-a-participer-au-renforcement-de-la-securite-des-services-numeriques-de-letat/