avatar
Bug bounty
Public

DINUM - FranceConnect / FranceConnect+ / AgentConnect - Public Program

The Direction Interministérielle du NUMérique (DINUM) is in charge of the French State's digital transformation for the benefit of citizens and civil servants alike, in all its aspects. It supports public services, advises the government and develops common resources.

Reward

Bounty
Hall of fame
€0
Low
€100
Medium
€800
High
€3,000
Critical
€20,000

Program

Avg reward
-
Max reward
€400
Scopes
6

Supported languages
English
French

Hacktivity

Reports
46
1st response
< 3 days
Reports last 24h
-
Reports last week
-
Reports this month
1

🔈 About FranceConnect and AgentConnect

  • FranceConnect is the SSO solution developed by the French government for its citizens, based on the OpenID Connect protocol. It allows the citizens to login on many public and private online services using their existing credentials from certified public and private identity providers (IMPOTS, AMELI, La poste identité numérique, ...).

  • AgentConnect is the SSO solution developed by the French government for its agents, based on the OpenID Connect protocol. It allows the public servants to login on many internal governmental services using their identities from the existing directories of the agencies they work for.

💚 OBJECTIVES

As official French SSO, it is crucial for us to ensure a high level of security on our platform. Here is a list of the typical scenarios we are concerned about:

  • Users' data exfiltration
  • Users' misused identity
  • Users' redirections towards malicious websites

👷 ELIGIBILITY, DISCLOSURE & CONFIDENTIALITY

  • You must be the first reporter of the vulnerability.
  • The vulnerability must not have been already taken in account internally to qualify.
  • The vulnerability must be a qualifying vulnerability (see below).
  • As many endpoints use the same codebase, if two or more endpoints use the same codebase and a single fix can be deployed to fix all the different endpoints, only one endpoint will be considered as eligible for a reward and other reports will be closed as Informative. Such reports will be reviewed on a case by case basis.
  • You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
  • You must avoid tests that could cause degradation or interruption of our service (refrain from using automated tools, and limit yourself in terms of requests per second).
  • You must not leak, manipulate, or destroy any user data. We kindly ask you to not use collaborative tools for your research notes in order to avoid any unwanted disclosure or leak potentially exploitable by a third party.
  • You must not be a former or current employee / contractor / auditor of DINUM / FranceConnect / AgentConnect.

👥 Reports of leaks and exposed credentials

In the context of this program, we do not intend to encourage, accept or reward reports of leaks or exposed credentials.
We will only consider vulnerabilities or leaks that are identified directly on the scope of this program.

Also, in order not to encourage dark and grey economies, in particular the purchase, resale and trade of identifiers or stolen information, as well as all types of dangerous behavior (e.g. social engineering, ...), we will not accept or reward any report based on information whose source is not the result of failure on the part of our organization or one of our employees/service providers.

This excludes, but is not limited to:

  • Stolen credentials gathered from unidentified sources (e.g. …)
  • Exposed credentials on an out-of-scope assets
  • Exposed GitHub/GitLab (or similar) instance
  • Exposed secrets (e.g. API tokens/keys or other technical credentials)
  • Exposed PII on an out-of-scope asset

To summarize our policy, you may refer to this table :

Source of leak is in-scope Source of leak is out-of-scope
Impact is in-scope (e.g. valid credentials on an in-scope asset) Eligible Not Eligible
Impact is out-of-scope (e.g. valid credentials for an out-of-scope asset) Eligible Not Eligible

🚨 Hunting requirements

🦺 TESTING ON OUR INTEGRATION PLATFORM

Please refrain absolutely from using any URL suffixed by ".gouv.fr" to prevent production disruption and therefore being targeted as a real threat.

🛂 USER AGENT

Please append to your user-agent header the following value: ywh-pubbb-1 when testing on *.integ01.dev-franceconnect.fr. This will help us to identify your requests and avoid blocking you. You can also use words like "BugBounty" in your parameters to help us identify your requests.

🌱 How can I start hunting ?

🧪 Quick Start Guide

💡 Easy Black-box testing

This section covers the easiest way to test our platform. It is also the only way to test our platform if you do not wish to use the local stack (see below).

A good starting point for your journey is to start by accessing a fake (mock) service provider (SP/RP in OpenID Connect terminology) and test the connection on our integration platform. You can use this RP for FranceConnect+ and this RP for AgentConnect. A connection works as follow:

  1. On the RP, click on the FranceConnect/AgentConnect ("S'identifier avec...") button at the bottom of the page (do not change any parameter for now).
  2. Select your fake (mock) Identity Provider (IDP/OP in OpenID Connect terminology) and click on the "Continuer" button:
  3. Once you clicked on your choosen IDP, you will be prompted to login:
    • Use test / 123 for FranceConnect+ or any in the following list
    • Use test / 123 for FranceConnect or any in the following list
    • Use test / 123 for AgentConnect
  4. You will be prompted to consent to the sharing of the data with the RP. Click on the "Continuer" button.
  5. 🎉 Congratulation, you are connected ! You can also after login use the "Révoquer token" button to revoke the current access_token or "Recharger userinfo" to reload the user data from the IDP. You can also use the "Se déconnecter" button to disconnect from the IDP.
  6. 🎉 You can now tweak the parameters on the mock RP of the connection to test different scenarios. See the OpenID Connect documentation for more information.

To better understand the scope, you can access the integration user dashboard at https://tableaudebord.integ01.dev-franceconnect.fr, it acts like a service provider. Mind that it is out of the scope of the program and only at your disposal to help you better grasp the workflow.

⚗️ Dig a little deeper, run a full local stack

If you want to dig a little deeper, you can use the local stack. You can find instructions here. You will need an access to our docker repository to deploy it. For this, you can use the credentials provided in the bug bounty program.

⚠️ You'll need to follow new intructions on https://github.com/france-connect/sources/pull/5 to setup a local stack. It's a temporary mesure to get the stacks to work.

You will find a Docker-stack Quick Start guide here. Once setup, you can also use the command docker-stack help to get a list of all the available commands.

You can read more on FranceConnect and AgentConnect here:

💡 The recommended local stacks to use

Those stacks are used with docker-stack up <stack>. Do not forget to use docker-stack start-all to start all the services after. Use docker-stack prune to stop all the services.

  • min-fcp-high (light stack) or bdd-fcp-high (full stack) for FranceConnect+
  • min-fca-low (light stack) or bdd-fca-low (full stack) for AgentConnect
  • min-eidas-high (light stack) or all-eidas-high (full stack) for eIDAS
  • bdd-ud for the user dashboard

See https://hello.docker.dev-franceconnect.fr to find all running services and their URL. Generally you can use https://<container-name>.docker.dev-franceconnect.fr to access the service (Ex. https://fsp1-high.docker.dev-franceconnect.fr for FranceConnect+ mock RP, used as in the black box section).

📈 Diagrams

FranceConnect+:

france-connect-diagram.png

AgentConnect:

agent-connect-diagram.png

🔀 Github repositories

📝 Contact

Please use support.partenaires@franceconnect.gouv.fr for any question you may have. Please use [ywh-pubbb-1] at the beginning of the object to help us qualify the ticket. We will do our best to answer promptly.

🚀 Special scenarios

⚠️ All scenarios MUST follow the general rules of the Bug Bounty.
💡 Please note that Something happens is only for the sake of the example. It can be anything at any given time that is not expected, the team will validate the submitted behavior.
💡 Please use only our mocks on the integration environment for the bug bounty to avoid service disruption. If you want to test your solution in production,
you MUST submit a request to the team before.

FranceConnect+

  • Connect using a forged identity (existing or not) 20k€

Example:

  1. Use FranceConnect+ button on a service provider
  2. Select an identity provider
  3. Use credentials of an existing user
  4. Something happens
  5. Your forged identity is connected on the service provider
  • Connect with subtantial (eidas2) acr from the identity provider when the requested acr was high (eidas3) 15k€

Example:

  1. Use FranceConnect+ button on a service provider with a high acr (authorize "acr_values" must contains "eidas3")
  2. Select an identity provider (using mocks, you can force the returned acr to be eidas2)
  3. Use credentials of an existing user
  4. Something happens
  5. There is no error returning from the identity provider
  6. User is connected on the service provider with acr eidas2
  • Connect using a deactivated identity provider 15k€

Example:

  1. Use FranceConnect+ button on a service provider
  2. Something happens
  3. Select an identity provider that is disabled
  4. Use credentials of an existing user
  5. There is no error returning from the identity provider
  6. User is connected on the service provider

AgentConnect, FranceConnect

  • Connect using a forged identity (existing or not) 10k€

Example:

  1. Use FranceConnect button on a service provider
  2. Select an identity provider
  3. Use credentials of an existing user
  4. Something happens
  5. Your forged identity is connected on the service provider
  • Connect using a deactivated identity provider 10k€

Example:

  1. Use FranceConnect button on a service provider
  2. Something happens
  3. Select an identity provider that is disabled
  4. Use credentials of an existing user
  5. There is no error returning from the identity provider
  6. User is connected on the service provider

eIDAS Bridge

  • Connect to an European service provider using a forged identity (existing or not) 15k€

Example:

  1. Use the european mock service provider
  2. Select "France" for your identity country
  3. Select an identity provider on FranceConnect+ page
  4. Use credentials of an existing user
  5. Something happens
  6. Your forged identity is connected on the european mock service provider

User Dashboard

  • Authorize an identity provider blacklisted by a user - 10k€

Example:

  1. Connect to the user dashboard
  2. Add an identity provider to an existing user blacklist
  3. Something happens
  4. Connect to a service provider using FranceConnect+ or FranceConnect
  5. Select the blacklisted identity provider
  6. Use credentials of an existing user
  7. There is no error returning from the identity provider
  8. User is connected on the service provider
  • Alter the connection history page of a user 10k
  1. Something happens
  2. Connect to the user dashboard
  3. Access the connection history page of an existing user
  4. The connection history is altered

FranceConnect+

  • Connect using a forged identity (existing or not) 20k€
  • Connect with subtantial (eidas2) acr from the identity provider when the requested acr was high (eidas3) 15k€
  • Connect using a deactivated identity provider 15k€

AgentConnect, FranceConnect

  • Connect using a forged identity (existing or not) 10k€
  • Connect using a deactivated identity provider 10k€

eIDAS Bridge

  • Connect to an European service provider using a forged identity (existing or not) 15k€

User Dashboard

  • Authorize an identity provider blacklisted by a user - 10k€
  • Alter the connection history page of a user 10k

Reward

Asset value CVSS
Low
CVSS
Medium
CVSS
High
CVSS
Critical
Critical
€100€800€3,000€20,000
High
€100€800€3,000€10,000
Medium
€100€500€1,500€5,000

Scopes

ScopeTypeAsset value
Specific scenarios (see program description) other
Critical
Low
€100
Medium
€800
High
€3,000
Critical
€20,000
AgentConnect (see program description for github link) web-application
Medium
Low
€100
Medium
€500
High
€1,500
Critical
€5,000
FranceConnect+ (see program description for github link) web-application
High
Low
€100
Medium
€800
High
€3,000
Critical
€10,000
FranceConnect (see program description for github link) web-application
High
Low
€100
Medium
€800
High
€3,000
Critical
€10,000
eIDAS Bridge (see program description for github link) web-application
High
Low
€100
Medium
€800
High
€3,000
Critical
€10,000
User Dashboard (see program description for github link) web-application
Medium
Low
€100
Medium
€500
High
€1,500
Critical
€5,000

Out of scopes

  • All partners and all mocks are out of scope (but you can use the deployed mocks at your discretion to attack the scope).
  • The local stack (*.docker.dev-franceconnect) is a powerful tool for you to understand the internals processes but is out of scope (the exploit should as well work in the scope to qualify).
  • The production environment (*.gouv.fr) is out of scope.
  • https://fcp.integ01.dev-franceconnect.fr
  • https://tableaudebord.integ01.dev-franceconnect.fr

Vulnerability types

Qualifying vulnerabilities

  • NoSQL Injection
  • Cross-Site Scripting (XSS)
  • Remote Code Execution (RCE)
  • Insecure Direct Object Reference (IDOR)
  • Horizontal and vertical privilege escalation
  • Authentication bypass & broken authentication
  • Business Logic Errors vulnerability with real security impact
  • Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
  • Cross-Origin Resource Sharing (CORS) with real security impact
  • Cross-site Request Forgery (CSRF) with real security impact
  • Open Redirect
  • Exposed secrets, credentials or sensitive information from an in-scope asset

Non-qualifying vulnerabilities

  • Tabnabbing
  • Missing cookie flags
  • Content/Text injections
  • Mixed content warnings
  • Clickjacking/UI redressing
  • Denial of Service (DoS) attacks
  • Known CVEs without working PoC
  • Open ports without real security impact
  • Social engineering of staff or contractors
  • Presence of autocomplete attribute on web forms
  • Vulnerabilities affecting outdated browsers or platforms
  • Self-XSS or XSS that cannot be used to impact other users
  • Outdated libraries without a demonstrated security impact
  • Any hypothetical flaw or best practices without exploitable PoC
  • Expired certificate, best practices and other related issues for TLS/SSL certificates
  • Unexploitable vulnerabilities (ex: XSS or Open Redirect in HTTP Host Header)
  • Reports with attack scenarios requiring MITM or physical access to victim's device
  • Missing security-related HTTP headers which do not lead directly to a vulnerability
  • Unauthenticated / Logout / Login and other low-severity Cross-Site Request Forgery (CSRF)
  • Invalid or missing SPF (Sender Policy Framework), DKIM, DMARC records
  • Session expiration policies (no automatic logout, invalidation after a certain time or after a password change)
  • Disclosure of information without direct security impact (e.g. stack traces, path disclosure, directory listings, software versions, IP disclosure, 3rd party secrets)
  • CSV injection
  • HTTP Strict Transport Security Header (HSTS)
  • Subdomain takeover without a full working PoC
  • Blind SSRF without direct impact (e.g. DNS pingback)
  • Lack of rate-limiting, brute-forcing or captcha issues
  • User enumeration (email, alias, GUID, phone number)
  • Password requirements policies (length / complexity / reuse)
  • Ability to spam users (email / SMS / direct messages flooding)
  • Disclosed / misconfigured Google API key (including Google Maps)
  • Recently disclosed 0-day vulnerabilities (less than 30 days since patch release)
  • Password reset token leak on trusted third-party website via Referer header (eg Google Analytics, Facebook…)
  • Task Hijacking
  • Crashing your own application
  • Stolen secrets, credentials or information gathered from a third-party asset that we have no control over
  • Exposed secrets, credentials or information on an asset under our control that are not applicable to the program’s scope

Hunting requirements

User agent

Please append to your user-agent header the following value: ' ywh-pubbb-1 '.


Hunters collaboration

When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.

For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.