To identify vulnerabilities in the France Connect and AgentConnect applications, the interministerial digital department (Dinum) promised a reward of 20,000 euros to anyone who manages to hack them.
Called “bug bounty”, this operation launched by Dinum allows software publishers to fix flaws in their programs, rewarding users who report bugs, report BFMTV. Organized by website Yeswehack. withthe program will connect administrations and companies with ethical hackers.
Find security vulnerabilities
Remember that FranceConnect is a device that allows you to connect to various online public services, such as Ameli or the Impots website, with a unique identifier. AgentConnect is intended for agents working in state public service.
Dinum’s goal is to find security vulnerabilities in FranceConnect and AgentConnect, such as exfiltration of user data, misuse of user identity, or even redirects of users to malicious websites.
Tools and instructions will be made available
And what’s better than a reward to attract hackers? Here are the different values promised by Dinum:
– Connect using a fake identity (existing or not): 20,000 euros
– Log in with a substantial acr (eIDAS2) from the identity provider when the requested acr is high (eIDAS3): 15,000 euros
– Log in using a deactivated identity provider: 15,000 euros
AgentConnect, FranceConnect :
– Connect using a fake identity (existing or not): 10,000 euros
– Log in using a disabled identity provider: 10,000 euros
– Connect to a European service provider using a fake identity (existing or not): 15,000 euros
– Authorize an identity provider by blacklisting a user : 10,000 euros
– Modify a user’s connection history page: 10,000 euros
To do this, the agency will provide volunteers with tools and instructions to test for potential security vulnerabilities on the two government platforms.
Last May, the Ministry of the Interior called on ethical hackers to test the security of the MaProcuration.gouv.fr website.