Table of Contents
Since 2021, the French Network of IT Directors (CoTer Numérique) and the Digital Security Club for Local Authorities (CSNC) have led an ambitious initiative: they’ve partnered with the French National Cybersecurity Agency (ANSSI) and Yogosha to pool security audits of web and mobile applications used by local authorities.
The idea is simple yet powerful: rather than running redundant, siloed security tests on the same assets, perform a single audit per application and share the results on an online secure platform to all local authorities. This approach not only reduces overhead costs but also strengthens collaboration across all members.
Looking Back: Two Successful Phases of Collaboration
Between May 2022 and September 2024, 15 critical applications were audited with funding from France’s national recovery plan and under the supervision of the French National Cybersecurity Agency:
- Project leads: CD31, City of Chelles, City of Boulogne-Billancourt.
- Security testing: Bug Bounty programs with Yogosha researchers, with all vulnerabilities centralized on the Yogosha platform.
- Results: Over 130 vulnerabilities identified and remediated, including 22% classified as critical.
A single example illustrates the impact: one application had been tested 18 times in a single year by different authorities. Thanks to this shared initiative, the tests were consolidated — saving substantial time and budget, while improving remediation speed and quality.
As Marylyne Boubee, CISO of CD31 and President of the CSNC, explains:
“The concept was straightforward: why test the same application twenty times when one shared audit could benefit everyone?”
Phase 3: A New Momentum Funded by CoTer Numérique
In 2025, the momentum continues. With the recovery plan funding now complete, CoTer Numérique is stepping in to fund four Bug Bounty programs, each worth €10,000 (VAT included).
The selected local authorities, already clients of Yogosha, each received €10,000 in funding, provided that the results of their campaigns are shared with the joint Bug Bounty working group of CoTer and CSNC. This ensures that every test contributes to the community’s collective knowledge and protection.
Applications audited in this third phase include:
- Publik by Entr’ouvert, a citizen relationship management platform, for Paris Ouest La Défense (POLD) & City of Nanterre.
- ENT ONE by Edifice, a digital platform for schools, for POLD & City of Suresnes.
- Pégase by Inetum, a school transport management platform, for CD31.
Results, once shared as static PDF reports, are now accessible online via two portals — one hosted by CoTer’s community space and one hosted by Yogosha — promoting transparency and collaboration.
As Antoine Trillard, President of CoTer Numérique, points out:
“CoTer decided to fund these programs to keep the momentum going. It’s a collective investment that benefits everyone and perfectly captures the spirit of cooperation that drives us.”
In 2024, POLD also launched a joint Bug Bounty and pentesting initiative through the Yogosha platform, made available to its 11 member authorities.
Benefits for Authorities and Software Vendors
This shared initiative has done more than just secure applications — it has transformed how local authorities and vendors approach cybersecurity. Among the tangible benefits:
- Realized significant savings in time and budget by eliminating redundant security testing efforts.
- Increased engagement from software vendors, such as Arpège and MGDIS, who have since launched additional Bug Bounty and pentest campaigns on other products in their portfolios.
- Increased remediation velocity of vulnerabilities.
- Optimized collaboration between IT and security leaders, creating a lasting network of shared expertise.
As Christophe Marnat puts it:
“This project proves that mutualization isn’t just a concept — it’s a practical model that delivers value, efficiency, and above all, stronger security for everyone.”
What’s Next: Standardization, NIS2, and Cybersecurity Education
The next steps of the project will focus on two main goals:
- Standardizing security tests, ensuring consistent quality across different providers by using a 110-point security checklist based on the OWASP framework.
- Preparing for NIS2 compliance, helping local authorities meet upcoming European cybersecurity requirements.
An educational dimension has also been added to the initiative, with several innovative programs designed to raise awareness and train the next generation of cybersecurity talent:
- Hack Your High School: Since 2024, the Île-de-France Region has organized a Capture The Flag (CTF) challenge open to all high school students. The top 50 “cyber champions” were then invited to test the ENT (Digital Workspace) used by all students. The most active participants received an official certificate signed by the Regional President, the Academic Rector, and the President of Yogosha — a distinction recognized by ParcoursSup for higher education applications.
- Educational Bug Bounty: Since 2024, Paris Ouest La Défense, in partnership with ESILV and Yogosha, has enabled students to train in offensive security by conducting real Bug Bounty campaigns — free of charge — on applications used by local authorities.
- StarHack Program: Also launched in 2024 by Campus Cyber Nouvelle-Aquitaine, in collaboration with 15 regional universities, Marl DS, and Yogosha. Each year, 70 “cyber champions” are selected through a CTF to lead educational Bug Bounty campaigns on applications from local authorities and SMEs.
The objective: to channel the ambitions of young talent, provide hands-on experience, and prepare the next generation of cybersecurity professionals for the public sector.
Towards Collective and Sustainable Cybersecurity
With over 30 applications audited and a unique collaborative model in France, the CSNC–CoTer–Yogosha initiative proves that shared security testing is a powerful lever to strengthen the cybersecurity of local authorities.
Phase 3 marks a new milestone — one driven directly by the associations themselves. Through collaboration, standardization, and education, this project continues to build a collective, pragmatic, and forward-looking approach to cybersecurity.
Want to learn more about how Yogosha helps local authorities secure their applications?
Contact us
