The StopCovid application in the hands of bug hunters

Changed on 03/06/2020
The StopCovid project team is launching a Bug Bounty program with French startup YesWeHack on Wednesday, May 27 to enhance the security of the StopCovid application. This initiative will mobilize a community of cybersecurity experts to search for potential vulnerabilities within the application and its infrastructure.

Bug Bounty StopCovid presentation

Bug Bounty StopCovid
In accordance with the goal of reliability that the StopCovid project-team wishes to pursue, the security of the application, which is currently being developed in prototype form (upstream of any political decision), will be tested by ethical hackers (called "hunters").

France is the first country to use a Bug Bounty program to secure its contact tracing application. In case of detection of flaws, these will be reported to the StopCovid project team in charge of the development of the application via detailed reports, in order to make potential corrections.

International and independent bug hunters

The Bug Bounty offers enhanced bug and vulnerability scanning capabilities, thanks to the participation of ethical hackers who put themselves in the shoes of malicious hackers. As part of the StopCovid project, around 20 experts from all over Europe will start testing the security of the application on Wednesday 27 May. They will be followed from June 2nd by all hackers from the YesWeHack community who wish to do so. In the event that the community discovers a vulnerability, the StopCovid project team will be able to correct the bugs that are critical to the proper functioning of the application.

Feedback from these contributors will be published on the YesWeHack website and uploaded to the GitLab Inria StopCovid on which the StopCovid application source code is published. Beyond this community, the source code will be accessible to anyone who wishes to consult it and make contributions.

An essential call to the community

ANSSI and Inria are pleased to be able to call on the community of cybersecurity experts through the use of the Bug Bounty. Sovereignty, confidentiality and security are the main principles governing this approach. This general mobilization will guarantee optimal reliability of the application throughout its life cycle.

    "For the ANSSI, the security of the application must be ensured by the combination of several processes. The assistance in the secure design and then the audit of the application carried out by our experts must be completed by the control of the code published in open-source by the digital community and by the organization of research for computer flaws, such as bug bounty," explains Guillaume Poupard, ANSSI's general director.

    "For Inria, as for all the partners and contributors of the StopCovid project team, cybersecurity is a major concern, in order to provide citizens with an application based on the highest standards in terms of security and the latest cryptographic algorithms.  As in any computer system, flaws can exist, hence the importance of the involvement in the project of ANSSI and specialists in the field, such as YesWeHack, to protect us from possible malicious attacks", says Bruno Sportisse, CEO of Inria.

News about the private Bug Bounty

  • Since the opening of the program on May 27th, 35 European ethical hackers including 21 French ones have been selected and invited by YesWeHack. 27 hackers have so far accepted the invitation.
  • The private phase of the program allows the StopCovid project team to test the application's entire functionality and infrastructure.
  • The application's Outscale Dassault Systèmes hosting infrastructure has already been the subject of a Bounty Public Outscale YesWeHack bug program.
  • Within the strict framework of this private phase, the backend servers can be reached via VPN links. Submission codes (+30,000) are also provided to the hunters so that they can test the entire application process: from downloading to the declaration stage (QR code scan or entry of the code provided by the health authorities).
  • Submission codes, for obvious functional reasons of data integrity, cannot be provided when the program is run in public and the application is officially made available to the public. The same will apply to privileged access to the infrastructure.
  • The private phase of the Bug Bounty was closed on June 1st. Out of the 12 bugs identified in the YesWeHack program, 7 were accepted as being within the scope of the Bug Bounty or being of general interest.
    Corrections are already under investigation. For more information: visit the Inria StopCovid gitlab where all accepted bugs have been reported.
  • Since June 2, the day the StopCovid application is launched, the public Bug Bounty StopCovid program is accessible on the YesWeHack platform.