SNCF Connect is doing everything possible to guarantee secure browsing and optimal protection of its customers' data.
If, despite our efforts, you believe you have detected a security flaw, we invite you to contact us so that we can intervene quickly.
For effective processing, be as precise as possible (elements that make it possible to reproduce the flaw, screenshot, code used, etc.).
If the information provided is insufficient, our technical team may be required to contact you and will not fail to keep you informed of the follow-up given to your report. SNCF Connect thanks you in advance for your cooperation.
At SNCF Connect, the security of our users and the protection of their data are at the heart of our priorities. We believe that no system is foolproof, and that collaboration with the security research community is essential to identify and fix vulnerabilities before they can be exploited.
That's why we've set up a bug bounty program in partnership with YesWeHack, a recognized platform that connects organizations with an international community of ethical hackers.
Our approach
Our Bug Bounty program is part of a proactive approach to security. It complements our internal and external audits by allowing independent experts to test our web and mobile applications and APIs in real-world conditions.
The goal is simple: Quickly identify vulnerabilities and fix them effectively to ensure a high level of security for our services and users.*
How to participate?
We invite security researchers to analyze the perimeters defined in our program and to report any vulnerabilities identified to us via the YesWeHack platform:
Reports should be:
Clear and reproducible
- Accompanied by proofs of concept if necessary
- Submitted responsibly and confidentially
- Only the first valid reports that comply with the program rules will be eligible for a reward.
Awards
Rewards are awarded based on:
- Criticality of vulnerability
- its real impact on users and the system
As with most YesWeHack programs, the bounties follow a progressive scale (from low to critical), which can range from a few dozen to several thousand euros depending on the severity of the flaw.
Each report is analyzed by our security teams, and awards are awarded based on the most impactful operating scenario.
Best practices
To ensure a responsible research environment, we ask participants to:
- Do not disrupt services in production
- Not to access, modify or disclose user data
- Strictly respecting the defined perimeter
- Avoid intrusive or destructive techniques
We value collaboration based on trust, transparency and respect for users.
Open collaboration
By participating in this program, you are directly contributing to improving the security of SNCF Connect and protecting millions of users. We firmly believe that safety is a collective responsibility, and we thank all the researchers who are committed to working with us.
Leave a comment