Second step for France’s COVID-19 contact tracing app which goes on public Bug Bounty programme.
YesWeHack has announced the beginning of a public Bug Bounty programme for StopCovid, France’s official app in the fight against the spread of COVID-19. The 15,000+ ethical hackers of the YesWehack platform, spread in more than 120 countries, will be enabled to search for vulnerabilities in the application.
The public bug bounty programme follows a week-long private one where 35 European ethical hackers investigated all components of the app. As StopCovid goes to end users, the public bug bounty programme opens up. France is the first country to ensure continuous security for its contact tracing app through bug bounty.
A few minor bugs were discovered during the private phase
All the vulnerabilities identified were reported to the StopCovid project team. Out of the 12 bugs identified in the YesWeHack program, 7 were accepted as being within the scope of the Bug Bounty or being of general interest: 5 minor to moderate security bugs, not allowing any immediate compromising of phones, infrastructure or data generated by the application,and 2 functional bugs. Corrections are under way and all accepted bugs have been reported on the StopCovid project team’s bug tracker.
Public phase: strengthen the vulnerability hunt
StopCovid is officially accessible to all in France starting 2 June. According to the timeline set between the StopCovid consortium and YesWeHack, the public bug bounty programme opens on the same date. The vulnerability hunt is thus accessible to the 15,000-plus ethical hackers of the YesWeHack platform. Hackers from around the world will thus be able to help France strengthen the security of its application. The programme rules and perimeters are adapted accordingly.
With this second step, the StopCovid project team underlines the crucial role of crowdsourced security for data protection in the fight against COVID-19 – and how bug bounty can help build trust and transparency.
YesWeHack runs private (invitation-only) and public programmes as well as vulnerability disclosure policies (VDP) for hundreds of organisations worldwide in compliance with the strictest European regulations.