FranceConnect, the authentication system for public (and also private) service sites, is not infallible. Like any computer program, it can have security vulnerabilities which are sometimes very difficult to find. In order to spot them, the government has set up a bug bounty which can pay off big!
“White hat” hackers, i.e. those who use their skills for ethical purposes, or simply enlightened amateurs can participate in a bug bounty set up by DINUM, the interministerial digital department. This bug hunt can pay off big: up to €20,000!
Looking for security vulnerabilities
But in order to hit this jackpot, you must first have discovered a critical security vulnerability in FranceConnect or AgentConnect. These two single sign-on SSO solutions are based on OpenID Connect, a protocol based on the OAuth 2.0 standard. The first, FranceConnect, is well known to citizens who want to connect to the tax site or to an Ameli account. AgentConnect is intended for civil servants to access internal government services.
Obviously, the security of such authentication systems is crucial. DINUM is particularly interested in data exfiltration, identity theft and the redirection of users to malicious websites. The agency provides tools, instructions for testing vulnerabilities (for example this site for testing FranceConnect) as well as GitHub repositories.
To receive €20,000, you will need to connect to FranceConnect using a false identity. Other rewards are also offered. And the most deserving will also win a place in a public ranking! All the information on this bug bounty can be consulted here.
Source :
Zaraz