Second step for France’s COVID-19 contact tracing app which goes on a public Bug Bounty programme.
Paris – June, 3rd,2020 - YesWeHack, Europe’s Bug Bounty leader, announced the beginning of a public Bug Bounty programme for StopCovid, France’s official app in the fight against the spread of COVID-19. From today, the 15,000+ ethical hackers of the YesWehack platform, spread in more than 120 countries, will be enabled to search for vulnerabilities in the application.
The public bug bounty programme follows a week-long private one where 35 European ethical hackers investigated all components of the app. As StopCovid goes to end users, the public bug bounty programme opens up. France is the first country to ensure continuous security for its contact tracing app through bug bounty.
A few minor bugs were discovered during the private phase
All the vulnerabilities identified were reported to the StopCovid project team. Out of the 12 bugs identified in the YesWeHack program, 7 were accepted as being within the scope of the Bug Bounty or being of general interest: 5 minor to moderate security bugs, not allowing any immediate compromising of phones, infrastructure or data generated by the application, and 2 functional bugs. Corrections are underway and all accepted bugs have been reported on Inria’s Gitlab, the StopCovid project team’s bug tracker.
Public phase: strengthen the vulnerability hunt
StopCovid is officially accessible to all in France starting 2 June. According to the timeline set between the StopCovid consortium and YesWeHack, the public bug bounty programme opens on the same date. The vulnerability hunt is thus accessible to the 15,000-plus ethical hackers of the YesWeHack platform. Hackers from around the world will thus be able to help France strengthen the security of its application. The programme rules and perimeters are adapted accordingly.
With this second step, the StopCovid project team underlines the crucial role of crowdsourced security for data protection in the fight against COVID-19 – and how bug bounty can help build trust and transparency. Check-out the public programme here.
Founded in 2013, YesWeHack is the #1 European Bug Bounty & VDP Platform. YesWeHack offers companies an innovative approach to cybersecurity with Bug Bounty (pay-per-vulnerability discovered), connecting more than 15,000 cyber-security experts (ethical hackers) across 120 countries with organisations to secure their exposed scopes and reporting vulnerabilities in their websites, mobile apps, infrastructure and connected devices. YesWeHack runs private (invitation-only) programmes, public programmes and vulnerability disclosure policies (VDP) for hundreds of worldwide organisations in compliance with the strictest European regulations.