FranceConnect / FranceConnect+ - DINUM
Bounty Range
Up to $30,000
external program
Bounty Range
Up to $30,000
external program
BountyHall of fame
€0 Low €100 Medium €800 High €3,000 Critical €30,000
Avg reward -
Max reward €2,500
Scopes5
Supported languagesEnglishFrench
Reports228
1st response < 1 day
Reports last 24h5
Reports last week25
Reports this month63
Program description
Program activity
FranceConnect is the SSO solution developed by the French government for its citizens, based on the OpenID Connect protocol. It allows the citizens to login on many public and private online services using their existing credentials from certified public and private identity providers (IMPOTS, AMELI, La poste identité numérique, ...).
FranceConnect+ enhances the SSO with additional security measures to reduce the risks associated with sensitive services.
As official French SSO, it is crucial for us to ensure a high level of security on our platform. Here is a list of the typical scenarios we are concerned about:
Users' data exfiltration
Users' misused identity
Users' redirections towards malicious websites
To maintain an efficient and fair triage process for all researchers, strict requirements for clarity, verifiability, and reproducibility apply to every submission. Each report constitutes a request for evaluation and must be clear, validated, reproducible, directly actionable by our teams, as well as fully compliant with the rules set out below. Submissions that are imprecise, excessively vague, unnecessarily verbose, combine multiple issues, or fail to clearly demonstrate exploitability may be deemed ineligible.
Reports must reflect genuine validation efforts regardless of the tools used (AI is a tool). Failure to meet the program’s requirements may result in the report being closed as spam without further analysis or reward, even if a corrective measure is later implemented.
The classification of reports, their validity, and their eligibility for any potential reward are determined at our sole discretion in accordance with the program terms. Nothing in this program shall be interpreted as creating any obligation to grant a reward.
You must be the first reporter of the vulnerability.
The vulnerability must not have been already taken in account internally to qualify.
The vulnerability must be a qualifying vulnerability (see below).
As many endpoints use the same codebase, if two or more endpoints use the same codebase and a single fix can be deployed to fix all the different endpoints, only one endpoint will be considered as eligible for a reward and other reports will be closed as Informative. Such reports will be reviewed on a case by case basis.
You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
You must avoid tests that could cause degradation or interruption of our service (refrain from using automated tools, and limit yourself in terms of requests per second).
A vulnerability found in the integration environment must also be reproducible in production under reasonable assumptions.
Out-of-scope compromises, such as an IdP compromise, must demonstrate a flaw in FC as well as reflect a credible attacker objective that lead to additional impact beyond the initial compromise itself.
You must not leak, manipulate, or destroy any user data. We kindly ask you to not use collaborative tools for your research notes in order to avoid any unwanted disclosure or leak potentially exploitable by a third party.
You must not be a former or current employee / contractor / auditor of DINUM / FranceConnect.
In the context of this program, we do not intend to encourage, accept or reward reports of leaks or exposed credentials.
We will only consider vulnerabilities or leaks that are identified directly on the scope of this program.
Also, in order not to encourage dark and grey economies, in particular the purchase, resale and trade of identifiers or stolen information, as well as all types of dangerous behavior (e.g. social engineering, ...), we will not accept or reward any report based on information whose source is not the result of failure on the part of our organization or one of our employees/service providers.
This excludes, but is not limited to:
Stolen credentials gathered from unidentified sources (e.g. …)
Exposed credentials on an out-of-scope assets
Exposed GitHub/GitLab (or similar) instance
Exposed secrets (e.g. API tokens/keys or other technical credentials)
Exposed PII on an out-of-scope asset
To summarize our policy, you may refer to this table :
| Source of leak is in-scope | Source of leak is out-of-scope |
Impact is in-scope (e.g. valid credentials on an in-scope asset) | Eligible | Not Eligible |
Impact is out-of-scope (e.g. valid credentials for an out-of-scope asset) | Eligible | Not Eligible |
Please refrain absolutely from using any URL suffixed by ".gouv.fr" to prevent production disruption and therefore being targeted as a real threat.
Please append to your user-agent header the following value: ywh-pubbb-1 when testing on *.integ01.dev-franceconnect.fr. This will help us to identify your requests and avoid blocking you. You can also use words like "BugBounty" in your parameters to help us identify your requests.
This section covers the easiest way to test our platform. It is also the only way to test our platform if you do not wish to use the local stack (see below).
A good starting point for your journey is to start by accessing a fake (mock) service provider (SP/RP in OpenID Connect terminology) and test the connection on our integration platform. You can use [https://fsp1-low.integ01.fcp.fournisseur-de-service.fr/login](this RP) for FranceConnect and [https://fsp1v2.integ01.fcp.fournisseur-de-service.fr](this RP) for FranceConnect+. A connection works as follow:
On the RP, click on the FranceConnect ("S'identifier avec...") button at the bottom of the page (do not change any parameter for now).
Select your fake (mock) Identity Provider (IDP/OP in OpenID Connect terminology) and click on the "Continuer" button:
For FranceConnect / FranceConnect+, they are identified by the [https://auth.integ01.dev-franceconnect.fr/img/fi/fi-mock-eleve.svg](image that contain 1 to 3 locks looking like this).
Once you clicked on your choosen IDP, you will be prompted to login:
Use test / 123 for FranceConnect+ or any in the [https://github.com/france-connect/sources/tree/main/docker/volumes/fcp-high/mocks/idp/databases/citizen](following list)
Use test / 123 for FranceConnect or any in the [https://github.com/france-connect/sources/tree/main/docker/volumes/fcp-low/mocks/idp/databases/citizen](following list)
You will be prompted to consent to the sharing of the data with the RP. Click on the "Continuer" button.
🎉 Congratulation, you are connected ! You can also after login use the "Révoquer token" button to revoke the current access_token or "Recharger userinfo" to reload the user data from the IDP. You can also use the "Se déconnecter" button to disconnect from the IDP.
🎉 You can now tweak the parameters on the mock RP of the connection to test different scenarios. See [https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth](the OpenID Connect documentation) for more information.
To better understand the scope, you can access the integration user dashboard at https://tableaudebord.integ01.dev-franceconnect.fr, it acts like a service provider. Mind that it is out of the scope of the program and only at your disposal to help you better grasp the workflow.
If you want to dig a little deeper, you can use the local stack. You can find [https://github.com/france-connect/sources/blob/main/docker/_doc/docker-stack.md](instructions here). You will need an access to our [registry.gitlab.dev-franceconnect.fr/france-connect/fc](docker repository) to deploy it. For this, you can use the credentials provided in the bug bounty program.
⚠️ You'll need to follow new intructions on https://github.com/france-connect/sources/pull/5 to setup a local stack. It's a temporary mesure to get the stacks to work.
You will find a [https://github.com/france-connect/sources/blob/main/docker/_doc/docker-stack.md#quick-start](Docker-stack Quick Start guide here). Once setup, you can also use the command docker-stack help to get a list of all the available commands.
You can read more on FranceConnect here:
Those stacks are used with docker-stack up . Do not forget to use docker-stack start-all to start all the services after. Use docker-stack prune to stop all the services.
min-fcp-low (light stack) or bdd-fcp-low (full stack) for FranceConnect
min-fcp-high (light stack) or bdd-fcp-high (full stack) for FranceConnect+
min-eidas-high (light stack) or all-eidas-high (full stack) for eIDAS
bdd-ud for the user dashboard
See https://hello.docker.dev-franceconnect.fr to find all running services and their URL. Generally you can use https://.docker.dev-franceconnect.fr to access the service (Ex. https://fsp1-high.docker.dev-franceconnect.fr for FranceConnect+ mock RP, used as in the black box section).
FranceConnect+:
https://github.com/france-connect/sources/tree/main/back/instances/core-fcp-high
https://github.com/france-connect/sources/tree/main/back/instances/core-fcp-low
[https://github.com/france-connect/sources/tree/main/back/instances/eidas-bridge](eIDAS Bridge)
[https://github.com/france-connect/sources/tree/main/back/instances/user-dashboard](User Dashboard)
Please use [email protected] for any question you may have. Please use [ywh-pubbb-1] at the beginning of the object to help us qualify the ticket. We will do our best to answer promptly.
⚠️ All scenarios MUST follow the general rules of the Bug Bounty.
💡 Please note that Something happens is only for the sake of the example. It can be anything at any given time that is not expected, the team will validate the submitted behavior.
💡 Please use only our mocks on the integration environment for the bug bounty to avoid service disruption. If you want to test your solution in production,
you MUST submit a request to the team before.
Example:
Use FranceConnect+ button on a service provider
Select an identity provider
Use credentials of an existing user
Something happens
Your forged identity is connected on the service provider
Connect with subtantial (eidas2) acr from the identity provider when the requested acr was high (eidas3) 20k€
Example:
Use FranceConnect+ button on a service provider with a high acr (authorize "acr_values" must contains "eidas3")
Select an identity provider (using mocks, you can force the returned acr to be eidas2)
Use credentials of an existing user
Something happens
There is no error returning from the identity provider
User is connected on the service provider with acr eidas2
Connect using a deactivated identity provider 20k€
Example:
Use FranceConnect+ button on a service provider
Something happens
Select an identity provider that is disabled
Use credentials of an existing user
There is no error returning from the identity provider
User is connected on the service provider
Example:
Use FranceConnect button on a service provider
Select an identity provider
Use credentials of an existing user
Something happens
Your forged identity is connected on the service provider
Connect using a deactivated identity provider 15k€
Example:
Use FranceConnect button on a service provider
Something happens
Select an identity provider that is disabled
Use credentials of an existing user
There is no error returning from the identity provider
User is connected on the service provider
Example:
Use the european mock service provider
Select "France" for your identity country
Select an identity provider on FranceConnect+ page
Use credentials of an existing user
Something happens
Your forged identity is connected on the european mock service provider
Example:
Connect to the user dashboard
Add an identity provider to an existing user blacklist
Something happens
Connect to a service provider using FranceConnect+ or FranceConnect
Select the blacklisted identity provider
Use credentials of an existing user
There is no error returning from the identity provider
User is connected on the service provider
Alter the connection history page of a user 10k
Something happens
Connect to the user dashboard
Access the connection history page of an existing user
The connection history is altered
Connect using a forged identity (existing or not) 30k€
Connect with subtantial (eidas2) acr from the identity provider when the requested acr was high (eidas3) 20k€
Connect using a deactivated identity provider 20k€
Connect using a forged identity (existing or not) 15k€
Connect using a deactivated identity provider 15k€
Authorize an identity provider blacklisted by a user - 10k€
Alter the connection history page of a user 10k
Asset value | CVSS Low | CVSS Medium | CVSS High | CVSS Critical | Critical | €100 | €800 | €3,000 | €30,000 | High | €100 | €800 | €3,000 | €10,000 | Medium | €100 | €500 | €1,500 | €5,000 |
Scope | Type | Asset value | Expand rewards grid | Specific scenarios (see program description) | Other | Critical | | Low €100
Medium €800
High €3,000
Critical €30,000
| FranceConnect+ (see program description for github link) | Web application | High | | Low €100
Medium €800
High €3,000
Critical €10,000
| FranceConnect (see program description for github link) | Web application | High | | Low €100
Medium €800
High €3,000
Critical €10,000
| eIDAS Bridge (see program description for github link) | Web application | High | | Low €100
Medium €800
High €3,000
Critical €10,000
| User Dashboard (see program description for github link) | Web application | Medium | | Low €100
Medium €500
High €1,500
Critical €5,000
|
Please append to your user-agent header the following value: ' ywh-pubbb-1 '.
When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.
For more information, see [https://helpcenter.yeswehack.io/hunter/hunter-collaboration](help center). Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.
To submit a vulnerability report, you need to login with your hunter account. /programs/franceconnect-proconnect-public/create-report