Cybermalveillance.gouv.fr Bug Bounty Program

About Cybermalveillance.gouv.fr

Cybermalveillance.gouv.fr is an initiative of the French Government, launched in 2017, to respond to the uprising number of cyber-malicious-acts in France.

Cybermalveillance.gouv.fr is offering sensibilization, prevention and support in terms of cybersecurity to French citizens.

In 2017, the Public Interest Group against cybermalveillance.gouv.fr (GIP ACYMA) was created to carry these missions.

GIP ACYMA is addressing the following type of requesters:

• Private individuals
• Firms
• Local authorities

The website Cybermalveillance.gouv.fr is meant to be the unique and major entry point for all victims of cyber-malicious-acts. It offers advisory, prevention & sensibilization resources, and to put victims in contact with local service providers.

Objectives

It is crucial for us to ensure a high level of security on our cybermalveillance.gouv.fr platform. The typical scenarios we are concerned about:

• Victims' data exfiltration
• Modification or alteration of the tools and advices offered to the victims for awareness and assistance purposes
• Redirection of contact requests from victims towards malicious and/or unethical organisations

Eligible Vulnerabilities

When doing your risk assessment(s), keep in mind that the Service Providers are considered ethical and engaged in the project. Furthermore, Service Provider's accounts are subject to our verification and validation.

Responsible Disclosure & Confidentiality

GIP ACYMA believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our products or services, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

We kindly ask you to not use collaborative tools for your research notes in order to avoid any unwanted disclosure or leak potentially exploitable by a third party.

All testings must be conducted on https://pprd.cybermalveillance.gouv.fr, please avoid interfering with production environment.

Reward Structure

Systemic Issues

• 1st report: 100%
• 2nd report: 100%
• 3rd report: 60%
• 4th report: 40%
• 5th report: 25%
• 6th+ report: 10%

In the context of this program, we do not intend to encourage, accept or reward reports of leaks that are not applicable to our program's scope and policy.

Scope

Out of Scope

• https://www.cybermalveillance.gouv.fr
• Anything that is not explicitly listed in scope section

Vulnerability Types

Qualifying Vulnerabilities

• Cross-Site Scripting (XSS)
• Missing "secure" flags on authentication cookies
• Sensitive members information exposure except during a usual trip flow
• SQL Injection
• Remote Code Execution (RCE)
• Directory Traversal Issues
• Local File Disclosure (LFD)
• Exposure of internal tools (web apps showing metrics without authentication, development environments, etc)
• Exposure of configuration files or secrets (from Github or employee's opensource projects, etc)
• Access to sensitive data
• Cross-site Request Forgery (CSRF)
• Server-Side Request Forgery (SSRF)

Non-Qualifying Vulnerabilities

• EXIF data
• Rate Limiting
• Text/HTML Injection
• Homograph Attack
• Missing cookie flags
• Information disclosure
• Mixed content warnings
• Denial of Service attacks
• Software version disclosure
• Stack traces or path disclosure
• Any hypothetical flaw or best practices without exploitable POC
• Login, logout, unauthenticated or low-value CSRF
• Unverified results of automated tools or scanners
• Social engineering (including phishing) of cybermalveillance.gouv.fr staff or contractors
• Any physical attempts against cybermalveillance.gouv.fr offices or data centers
• Missing security-related HTTP headers
• Presence/absence of SPF/DMARC records
• Presence of autocomplete attribute on web forms
• Vulnerabilities affecting users of outdated browsers and platforms
• Self XSS
• Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept)
• Brute force / password reuse attacks
• User enumeration attacks
• Denial of service
• Missing cookie flags on non-sensitive cookies
• Attacks requiring physical access to a user's device
• Disclosure of known public files or directories (e.g. robots.txt)
• Massive automated actions on the platform through robots/crawling
• Persistent login cookie weaknesses
• Sell/ransom user information taken from password reuse or other attacks
• CORS configuration, except if you can show a way to exploit this vulnerability to compromise sensitive information
• Method TRACE
• Password policies
• DNSSEC issues
• Cache Poisoning
• Insecure Direct Object Reference (IDOR)

Hunting Requirements

Account Access

You can self-register as a victim.

You can also register as service provider, but these accounts are subject to admin validation. We will validate them on a regular basis, so please avoid creating several accounts for yourself as it would generate a greater workload for us and would subsequently extend our response time.

User Agent

Please append to your user-agent header the following value: ' ywh-public '.

Hunters Collaboration

When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.

Program Updates

2026-02-10: We are aware of limitations in the management of UUIDs in our URLs. These exploits are not trivial and are very limited in time, in addition to requiring prior knowledge of the UUID, which is not easily guessable. In light of this and the limited information available, we consider the risk to be acceptable on our part. We have therefore decided to no longer accept reports of IDOR or improper access control on this issue.

2025-10-22: We have decided to temporarily stop accepting new reports concerning cache poisoning. As things stand, we need to work more thoroughly to address this issue.