Protecting democratic values: First-ever live bug bounty for NGOs and CivicTech


For this edition of FIC 2019, YesWeHack is organising, for the first time in the history of FIC, a special event dedicated to Bug Bounty.

The International Cybersecurity Forum: the European reference event bringing together all stakeholders in digital trust will take place on 22 and 23 January.

This unprecedented bug bounty campaign will take place in an original space reserved for dozens of security researchers so that they can operate over several scopes, and where applicable, earn rewards according to the criticality of the reported vulnerabilities.

For this Premiere, the scopes are submitted by NGOs and CivicTech projects wishing to harden their systems and thus better protect their information assets and their reputation.

YesWeHack has chosen this year to help NGOs and Civictech as a priority, because many European citizens use tools developed by this sector to contribute to the common good, democracy, associative and charitable projects.

“For all actors, customers, developers and researchers, this Bug Bounty campaign within the 2019 FIC is a great and useful opportunity to exchange and confront the reality of threats in order to significantly increase the level of security and privacy by design”

Guillaume Vassault-Houlière – CEO @YESWEHACK

The Bug Bounty’s area will welcome bug hunters who will cooperate with “program managers” from the selected projects with the support of Romain Lecoeuvre, the CTO of the YesWeHack team.

The rewards will be of two types: a total prize pool of several thousand euros is planned to reward the best researchers and goodies collectors will delight some players.

This special FIC2019 Bug Bounty Campaign is part of the concrete and logical follow-up of the Paris Call to strengthen cooperation between digital players, of which YesWeHack is one of the first signatories.

So be ready for FIC 2019 on the 22nd & 23rd of January 

/! Register first of all /!

☆☆☆ Code of conduct ☆☆☆

  • No Denial of Service attacks, no Brute-Force, social engineering attacks or physical attacks and no spam!
  • No public disclosure of Bug.
  • We reserve the right to cancel programs at any time and the decision to pay a reward is at the sole discretion of the program managers.
  • You must not break the law and stay within the set perimeter.
  • You must not disrupt the service or corrupt personal data.
  • Any failure to comply with the rules will result in the submission being invalid or even excluded from Bug Bounty’s program.


  • Each hunter will be required to have an account on the Bug Bounty YesWeHack platform ( in order to validate the rules before hunting bugs and accessing the various programs.
  • Each Hunter of the FIC 2019 bounty bug will be subject to the conditions of use of the YesWeHack bug bounty platform ( via his/her registration.
  • No employee(s) (current or past) in the program’s perimeters may claim to be eligible for a reward.
  • Comply with the rules of each program described on
  • Be the first to report a vulnerability. Submission of a bug that could compromise the integrity of user data, bypass user data privacy protection or allow access to a system within the infrastructure, such as: authentication bypass, XSS/SQL/XML injections, CSRF, SSRF, remote arbitrary code execution. Qualifying vulnerabilities for a bonus will be indicated in the details of each program.
  • Only an exploitation from one of the IP addresses assigned to the 2019 FIC will be considered valid.

Bug submission Rules

  • Exclusive use of the Bug Bounty platform (Pseudo/hash check – Submission Timestamp)
  • Provide enough information to analyze the attack path as well as to be able to easily replay it, which will facilitate the validations of the submissions, which will have an impact on the amount of the reward.
  • The validity of each submission and the amount of the fees will be decided by the program managers present on site.