avatar
Bug bounty
Public

Cybermalveillance.gouv.fr - sensibilization, prevention and support in terms of cybersecurity

Cybermalveillance.gouv.fr is an initiative of the French Government, launched in 2017, to respond to the uprising number of cyber-malicious-acts in France.

Reward

Bounty
Hall of fame
€50
Low
€50
Medium
€200
High
€1,000
Critical
€2,000

Program

Avg reward
-
Max reward
-
Scope
1
Supported languages
English
French

Hacktivity

Reports
213
1st response
< 1 day
Reports last 24h
-
Reports last week
1
Reports this month
-

New 2026-02-10

We are aware of limitations in the management of UUIDs in our URLs.

These exploits are not trivial and are very limited in time, in addition to requiring prior knowledge of the UUID, which is not easily guessable. In light of this and the limited information available, we consider the risk to be acceptable on our part.

We have therefore decided to no longer accept reports of IDOR or improper access control on this issue.

New 2025-10-22

We have decided to temporarily stop accepting new reports concerning cache poisoning. As things stand, we need to work more thoroughly to address this issue.

ABOUT CYBERMALVEILLANCE.GOUV.FR

Cybermalveillance.gouv.fr is an initiative of the French Government, launched in 2017, to respond to the uprising number of cyber-malicious-acts in France.
Cybermalveillance.gouv.fr is offering sensibilization, prevention and support in terms of cybersecurity to French citizens.
In 2017, the Public Interest Group against cybermalveillance.gouv.fr (GIP ACYMA) was created to carry these missions.
GIP ACYMA is addressing the following type of requesters :

  • Private individuals
  • Firms
  • Local authorities

The website Cybermalveillance.gouv.fr is meant to be the unique and major entry point for all victims of cyber-malicious-acts. It offers advisory, prenvention & sensibilization resources, and to put victims in contact with local service providers

OBJECTIVES

It is crucial for us to ensure a high level of security on our cybermalveillance.gouv.fr platform. The typical scenarios we are concerned about :

  • Victims’ data exfiltration
  • Modification or alteration of the tools and advices offered to the victims for awarness and assistance purposes.
  • Redirection of contact requests from victims towards malicious and/or unethical organisations.

ELIGIBLE VULNERABILITIES

When doing your risk assessment(s), keep in mind that the Service Providers are considered ethical and engaged in the project. Furthermore, Service Provider’s accounts are subject to our verification and validation.

RESPONSIBLE DISCLOSURE & CONFIDENTIALITY

GIP ACYMA believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our products or services, we encourage you to notify us. We welcome working with you to resolve the issue promptly.
We kindly ask you to not use collaborative tools for your research notes in order to avoid any unwanted disclosure or leak potentially exploitable by a third party.

All testings must be conducted on https://pprd.cybermalveillance.gouv.fr, please avoid interfering with production environment

Reward

Asset value CVSS
Low
 CVSS
Medium
 CVSS
High
 CVSS
Critical
Critical
€50€200€1,000€2,000

Systemic issues

1st report100%
2nd report100%
3rd report60%
4th report40%
5th report25%
6th+ report10%

In the context of this program, we do not intend to encourage, accept or reward reports of leaks that are not applicable to our program’s scope and policy. To summarize our policy, you may refer to the below table:

Scopes

ScopeTypeAsset value
https://pprd.cybermalveillance.gouv.fr
 Web application
Critical
Low
€50
Medium
€200
High
€1,000
Critical
€2,000

Out of scopes

  • https://www.cybermalveillance.gouv.fr
  • Anything that is not explicitely listed in scope section

Vulnerability types

Qualifying vulnerabilities

  • Cross-Site Scripting (XSS)
  • Missing "secure" flags on authentication cookies
  • Sensitive members information exposure except during a usual trip flow
  • SQL Injection
  • Remote Code Execution (RCE)
  • Directory Traversal Issues
  • Local File Disclosure (LFD)
  • Exposure of internal tools (web apps showing metrics without authentication, development environments, etc)
  • Exposure of configuration files or secrets (from Github or employee's opensource projects, etc)
  • Access to a sensitive data
  • Cross-site Request Forgery (CSRF)
  • Server-Side Request Forgery (SSRF)

Non-qualifying vulnerabilities

  • EXIF data
  • Rate Limiting
  • Text/HTML Injection
  • Homograph Attack
  • Missing cookie flags
  • Information disclosure
  • Mixed content warnings
  • Denial of Service attacks
  • Software version disclosure
  • Stack traces or path disclosure
  • Any hypothetical flaw or best practices without exploitable POC
  • Login, logout, unauthenticated or low-value CSRF
  • Unverified results of automated tools or scanners
  • Social engineering (including phishing) of cybermalveillance.gouv.fr staff or contractors
  • Any physical attempts against cybermalveillance.gouv.fr offices or data centers
  • Missing security-related HTTP headers
  • Presence/absence of SPF/DMARC records
  • Presence of autocomplete attribute on web forms
  • Vulnerabilities affecting users of outdated browsers and platforms
  • Self XSS
  • Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept)
  • Brute force / password reuse attacks
  • User enumeration attacks
  • Denial of service
  • Missing cookie flags on non-sensitive cookies
  • Attacks requiring physical access to a user's device
  • Disclosure of known public files or directories, (e.g. robots.txt)
  • Massive automated actions on the platform through robots/crawling
  • Persistent login cookie weaknesses
  • Sell/ransom user information taken from password reuse or other attacks
  • CORS configuration, except if you can show a way to exploit this vulnerability to compromise sensitive information
  • Method TRACE
  • Password policies
  • DNSSEC issues
  • Cache Poisoning
  • Insecure Direct Object Reference (IDOR)

Hunting requirements

Account access

You can self-register as a victim.

You can also register as service provider, but these account are subject to admin validation on our end. We will validate them on a regular basis, so please avoid creating several accounts for yourself as it would generate a greater workload for us and would subsequently extend our response time.

User agent

Please append to your user-agent header the following value: ' ywh-public '.

Hunters collaboration

When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.

For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.

To submit a vulnerability report, you need to login with your hunter account.
program thumbnail
To submit a vulnerability report, you need to login with your hunter account.