The application StopCovid which should allow for the detection of people that have been put in contact with individuals carrying the Covid-19 will be launched on Tuesday 2 June. The Prime minister has announced, Thursday, at its point of step on the procedures of déconfinement. The download of this application will not be mandatory, but just recommended. This was the condition sine qua nonpour that the national Commission on informatics and liberties (Cnil) gave a favourable opinion on the deployment of this digital solution, stressing that” [it] will use data pseudonymized, without resorting to geo-location, and will not lead to create a file of the contaminated people “…
it Remains to convince the citizens that by downloading this application, they are not going to expose their mobile phone to possible cyber attacks. To guard against possible security vulnerabilities, but also to avoid bugs that are detrimental to the image of the developer : the national Institute of research in informatics and automatics (Inria), the national security Agency and information services has therefore called for ” an audit of type “bug bounty” for the purposes StopCovid, currently developed as a prototype […] in parallel with audits and security checks conducted by the agency and its partners, throughout the design “.
also Read : Cyber war : the major maneuvers began.
The term “bug bounty” means in French a “bug hunt” of a type that is a little special. This method of tracking vulnerabilities, it pays, in effect, those who identify themselves in the form of a premium. What encourages hackers to report vulnerabilities that they find in the writing of the codes rather than selling it on the dark web.
Promoted since 1995 by the group Netscape in particular, the technique of the “bug bounty” has now become commonplace in the United States where all the large groups with the promise of rewards for hackers who to contact to enable them to strengthen their defenses. In France, more discreetly, until now, that the operators were using this method. The groups Orange, Dailymotion and Qwant have been the first to use it in the Hexagon. They were soon followed by the authorities. Including the ministry of the Armed forces !
hackers (ethical) to the rescue
using the collective YesWeHack that brings together a community of about 15 000 hackeurs (ethical), the developers of StopCovid will no doubt be hoping to reassure the users. France is the first country to make a call to a platform bug bounty to secure a application of contact tracing.
Created in 2013, the group YesWeHack is born in the wake of an event : “the Night of The hack,” a convention bringing together the various actors of the it security. It is positioned, since 2016, as a european alternative to american companies HackerOne and BugCrowd, who are investigating the same niche. If its turnover is not public, it has some forty employees spread over several sites across the world : Rouen, Paris, Munich, Lausanne and Singapore.
” given the sanitary purpose of the tool StopCovid and the fact that its development is carried out free of charge by all stakeholders, we do not charge anything to the State for this bounty, but will take us in our support of the compensation of hackeurs that would go up vulnerabilities. Each critical fault detected will be worth 2 000 euros to its discoverer, ” says Guillaume Vassault-Houlière, president of YesWeHack. Since the 27th of may, thirty people spread across the world to test the robustness of the application. “We have selected the profile of the individuals invited to test the beta version of the app according to their specialties,” says Guillaume Vassault-Houlière. Nineteen of them are French. All the others are european : “The team is made up of Belgian, Swiss, Spanish, English, German and even Swedish)”, sets out there.
what has been the result ?
At this stage, several lines of code potentially fragile would have been reported at Inria. They may be vulnerabilities in technology. They are being analyzed for the developer and will be corrected if they are flaws. “From Tuesday, we will work to bring them up to our partners all the issues that our community will recognize,” says the hackeur repented (yesterday it was known under the nickname Freeman). The man seems convinced that this partnership, developed with the Inria, it will open other doors in terms of business. “For the time being, we post a growth rate of 310 % “, he smiles.
The prospects for the development of this start-up are sufficiently promising for it to have been able to raise 4 million euros, in February last, notably with CNP Assurances, but also of the fund Normandy Participation. The objective of YesWeHack is to impose itself as the main european player in the field of ” bug bounty “. But other actors share one common hope : in particular, the platform Yogosha, launched in 2015 by Yassir Kazar and Fabrice Epelboin (who has left the company since), and who had raised € 1.7 million in 2017.
Consult our folder : Déconfinement : the puzzle