avatar
Bug bounty
Public

Cybermalveillance.gouv.fr - sensibilization, prevention and support in terms of cybersecurity

Cybermalveillance.gouv.fr is an initiative of the French Government, launched in 2017, to respond to the uprising number of cyber-malicious-acts in France.

Reward

Bounty
Hall of fame
€50
Low
€50
Medium
€200
High
€1,000
Critical
€2,000

Program

Avg reward
-
Max reward
-
Scope
1

Supported languages
English
French

Hacktivity

Reports
164
1st response
< 1 day
Reports last 24h
-
Reports last week
1
Reports this month
2

ABOUT CYBERMALVEILLANCE.GOUV.FR

Cybermalveillance.gouv.fr is an initiative of the French Government, launched in 2017, to respond to the uprising number of cyber-malicious-acts in France.
Cybermalveillance.gouv.fr is offering sensibilization, prevention and support in terms of cybersecurity to French citizens.
In 2017, the Public Interest Group against cybermalveillance.gouv.fr (GIP ACYMA) was created to carry these missions.
GIP ACYMA is addressing the following type of requesters :

  • Private individuals
  • Firms
  • Local authorities

The website Cybermalveillance.gouv.fr is meant to be the unique and major entry point for all victims of cyber-malicious-acts. It offers advisory, prenvention & sensibilization resources, and to put victims in contact with local service providers

OBJECTIVES

It is crucial for us to ensure a high level of security on our cybermalveillance.gouv.fr platform. The typical scenarios we are concerned about :

  • Victims’ data exfiltration
  • Modification or alteration of the tools and advices offered to the victims for awarness and assistance purposes.
  • Redirection of contact requests from victims towards malicious and/or unethical organisations.

ELIGIBLE VULNERABILITIES

When doing your risk assessment(s), keep in mind that the Service Providers are considered ethical and engaged in the project. Furthermore, Service Provider’s accounts are subject to our verification and validation.

RESPONSIBLE DISCLOSURE & CONFIDENTIALITY

GIP ACYMA believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our products or services, we encourage you to notify us. We welcome working with you to resolve the issue promptly.
We kindly ask you to not use collaborative tools for your research notes in order to avoid any unwanted disclosure or leak potentially exploitable by a third party.

All testings must be conducted on https://pprd.cybermalveillance.gouv.fr, please avoid interfering with production environment

New 2024-04-02


Reward

Asset value CVSS
Low
CVSS
Medium
CVSS
High
CVSS
Critical
Critical
€50€200€1,000€2,000

Scopes

ScopeTypeAsset value
https://pprd.cybermalveillance.gouv.fr web-application
Critical
Low
€50
Medium
€200
High
€1,000
Critical
€2,000

Out of scopes

  • https://www.cybermalveillance.gouv.fr
  • Anything that is not explicitely listed in scope section

Vulnerability types

Qualifying vulnerabilities

  • Cross-Site Scripting (XSS), Cross-site Request Forgery (CSRF), Server-Side Request Forgery (SSRF)
  • Missing "secure" flags on authentication cookies
  • Sensitive members information exposure except during a usual trip flow
  • SQL Injection
  • Remote Code Execution (RCE)
  • Access Control Issues (Insecure Direct Object Reference issues, etc.)
  • Directory Traversal Issues
  • Local File Disclosure (LFD)
  • Exposure of internal tools (web apps showing metrics without authentication, development environments, etc)
  • Exposure of configuration files or secrets (from Github or employee's opensource projects, etc)
  • Access to a sensitive data

Non-qualifying vulnerabilities

  • EXIF data
  • Rate Limiting
  • Text/HTML Injection
  • Homograph Attack
  • Missing cookie flags
  • Information disclosure
  • Mixed content warnings
  • Denial of Service attacks
  • Software version disclosure
  • Stack traces or path disclosure
  • Any hypothetical flaw or best practices without exploitable POC
  • Login, logout, unauthenticated or low-value CSRF
  • Unverified results of automated tools or scanners
  • Social engineering (including phishing) of cybermalveillance.gouv.fr staff or contractors
  • Any physical attempts against cybermalveillance.gouv.fr offices or data centers
  • Missing security-related HTTP headers
  • Presence/absence of SPF/DMARC records
  • Presence of autocomplete attribute on web forms
  • Vulnerabilities affecting users of outdated browsers and platforms
  • Self XSS
  • Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept)
  • Brute force / password reuse attacks
  • User enumeration attacks
  • Denial of service
  • Missing cookie flags on non-sensitive cookies
  • Attacks requiring physical access to a user's device
  • Disclosure of known public files or directories, (e.g. robots.txt)
  • Massive automated actions on the platform through robots/crawling
  • Persistent login cookie weaknesses
  • Sell/ransom user information taken from password reuse or other attacks
  • CORS configuration, except if you can show a way to exploit this vulnerability to compromise sensitive information
  • Method TRACE
  • Password policies
  • DNSSEC issues

Hunting requirements

Account access

You can self-register as a victim.

You can also register as service provider, but these account are subject to admin validation on our end. We will validate them on a regular basis, so please avoid creating several accounts for yourself as it would generate a greater workload for us and would subsequently extend our response time.

User agent

Please append to your user-agent header the following value: ' ywh-public '.


Hunters collaboration

When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.

For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.