The government recently launched version 1.0 of the France Identity application, which allows you to import your identity card and provide identity certificates online. But it now intends to correct possible vulnerabilities. The company YesWeHack thus announces the opening of a public bug bounty program for bug hunters wishing to report security flaws in the application or in the associated service.
This is a public program, therefore open to all without invitation. The bonus scale displayed ranges from 100 euros for a flaw of less criticality to 25,000 euros for the most significant vulnerabilities. Researchers can look at the two mobile applications iOS and Android, or at the mobile.france-identite.gouv.fr/ API used to communicate with the application backend.
These vulnerabilities can yield bounties of up to 10,000 euros.
To win the jackpot, you will have to follow one of the scenarios
But to hit the jackpot, you will have to focus on one of the scenarios described by the program and which aims to test the reliability of the registration system for new users and the import of identity cards within the application. .
For example, if you find a way to register an account on the application and complete the initialization process with a fake ID card, you can claim a reward of up to 25,000 euros. The program specifies that However, flaws discovered on websites linked to the application are not eligible for rewards.
Bonuses for everyone
This is not the first time that France Identity has been subjected to the bug bounty test: a first program, already in partnership with YesWeHack, was launched in June 2022. But this was a private program on invitation bringing together around thirty bug hunters and relating to the versions of the service then under development.
This first program made it possible to correct several flaws identified by researchers during the development of the application, and the opening of the program to the general public aims to identify those which may have slipped through the cracks.
The government has used the services of YesWeHack several times to test the reliability of its new services in recent months: Dinum has proposed programs relating to France Connect, Tchap or the demarches-simplifiees.fr platform via Yes We Hack to reward researchers reporting flaws.
With rewards each time adapted to the criticality of the application and the vulnerability: count on a maximum reward of 4,000 euros for a critical vulnerability in Tchap, 5,000 € for the demarches-simplifiees.fr platform or 20,000 € for France Connect .