Cybermalveillance.gouv.fr - sensibilization, prevention and support in terms of cybersecurity
Cybermalveillance.gouv.fr is an initiative of the French Government, launched in 2017, to respond to the uprising number of cyber-malicious-acts in France.
Reward
Program
Hacktivity
ABOUT CYBERMALVEILLANCE.GOUV.FR
Cybermalveillance.gouv.fr is an initiative of the French Government, launched in 2017, to respond to the uprising number of cyber-malicious-acts in France.
Cybermalveillance.gouv.fr is offering sensibilization, prevention and support in terms of cybersecurity to French citizens.
In 2017, the Public Interest Group against cybermalveillance.gouv.fr (GIP ACYMA) was created to carry these missions.
GIP ACYMA is addressing the following type of requesters :
- Private individuals
- Firms
- Local authorities
The website Cybermalveillance.gouv.fr is meant to be the unique and major entry point for all victims of cyber-malicious-acts. It offers advisory, prenvention & sensibilization resources, and to put victims in contact with local service providers
OBJECTIVES
It is crucial for us to ensure a high level of security on our cybermalveillance.gouv.fr platform. The typical scenarios we are concerned about :
- Victims’ data exfiltration
- Modification or alteration of the tools and advices offered to the victims for awarness and assistance purposes.
- Redirection of contact requests from victims towards malicious and/or unethical organisations.
ELIGIBLE VULNERABILITIES
When doing your risk assessment(s), keep in mind that the Service Providers are considered ethical and engaged in the project. Furthermore, Service Provider’s accounts are subject to our verification and validation.
RESPONSIBLE DISCLOSURE & CONFIDENTIALITY
GIP ACYMA believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our products or services, we encourage you to notify us. We welcome working with you to resolve the issue promptly.
We kindly ask you to not use collaborative tools for your research notes in order to avoid any unwanted disclosure or leak potentially exploitable by a third party.
All testings must be conducted on https://pprd.cybermalveillance.gouv.fr, please avoid interfering with production environment
New 2024-04-02
Reward
| Asset value | CVSS | CVSS | CVSS | CVSS |
|---|---|---|---|---|
| €50 | €200 | €1,000 | €2,000 |
Scopes
| Scope | Type | Asset value | Expand rewards grid |
|---|---|---|---|
| https://pprd.cybermalveillance.gouv.fr | web-application | ||
Low Medium High Critical | |||
Out of scopes
- https://www.cybermalveillance.gouv.fr
- Anything that is not explicitely listed in scope section
Vulnerability types
Qualifying vulnerabilities
- Cross-Site Scripting (XSS), Cross-site Request Forgery (CSRF), Server-Side Request Forgery (SSRF)
- Missing "secure" flags on authentication cookies
- Sensitive members information exposure except during a usual trip flow
- SQL Injection
- Remote Code Execution (RCE)
- Access Control Issues (Insecure Direct Object Reference issues, etc.)
- Directory Traversal Issues
- Local File Disclosure (LFD)
- Exposure of internal tools (web apps showing metrics without authentication, development environments, etc)
- Exposure of configuration files or secrets (from Github or employee's opensource projects, etc)
- Access to a sensitive data
Non-qualifying vulnerabilities
- EXIF data
- Rate Limiting
- Text/HTML Injection
- Homograph Attack
- Missing cookie flags
- Information disclosure
- Mixed content warnings
- Denial of Service attacks
- Software version disclosure
- Stack traces or path disclosure
- Any hypothetical flaw or best practices without exploitable POC
- Login, logout, unauthenticated or low-value CSRF
- Unverified results of automated tools or scanners
- Social engineering (including phishing) of cybermalveillance.gouv.fr staff or contractors
- Any physical attempts against cybermalveillance.gouv.fr offices or data centers
- Missing security-related HTTP headers
- Presence/absence of SPF/DMARC records
- Presence of autocomplete attribute on web forms
- Vulnerabilities affecting users of outdated browsers and platforms
- Self XSS
- Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept)
- Brute force / password reuse attacks
- User enumeration attacks
- Denial of service
- Missing cookie flags on non-sensitive cookies
- Attacks requiring physical access to a user's device
- Disclosure of known public files or directories, (e.g. robots.txt)
- Massive automated actions on the platform through robots/crawling
- Persistent login cookie weaknesses
- Sell/ransom user information taken from password reuse or other attacks
- CORS configuration, except if you can show a way to exploit this vulnerability to compromise sensitive information
- Method TRACE
- Password policies
- DNSSEC issues
Hunting requirements
Account access
You can self-register as a victim.
You can also register as service provider, but these account are subject to admin validation on our end. We will validate them on a regular basis, so please avoid creating several accounts for yourself as it would generate a greater workload for us and would subsequently extend our response time.
User agent
Please append to your user-agent header the following value: ' ywh-public '.
Hunters collaboration
When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.
For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.
