Cyber attackers sought: Swiss Post begins endurance test for e-voting system

Security is the top priority for e-voting in Switzerland.

Swiss Post is committed to transparency in e-voting: since 2021, all security-relevant components of its e-voting system have been publicly accessible. Specialists around the world can test the system around the clock through an open-ended bug bounty programme – with the prospect of financial bonuses for confirmed vulnerabilities.

Swiss Post also regularly conducts what are known as public intrusion tests. Over the course of a set period of time, ethical hackers systematically attempt to hack into the system. Tests of this kind are prescribed by law and are a key component of e-voting trial operation in the cantons. The public intrusion test, which lasts several weeks, is part of Swiss Post’s e-voting community programme.

The intrusion test will last until 24 August 2025

From today until 24 August, Swiss Post is making its e-voting environment available for targeted attacks at pit.evoting.ch. The latest version of the system, which will be used for votes and elections from 2026, is set to be tested. IT professionals around the world can simulate the voting process, identify security vulnerabilities and attempt to infiltrate the electronic ballot box. For the first time, they can also test the functionality of the open text fields. These “write-ins” can be used for elections in which voters can enter their preferred candidates themselves if they are not on the official lists.

Attractive rewards for successful participants

For confirmed vulnerabilities, Swiss Post pays premiums of up to 250,000 francs. In addition to the bonus, the hackers who report the first three confirmed findings will receive a bonus of 3,000 francs. Since the launch of the bug bounty programme for e-voting, Swiss Post has paid out over 220,000 francs for confirmed findings to ethical hackers.

Why public security testing works

Public intrusion tests are a proven cybersecurity tool. They supplement internal and external audits with independent testing carried out by the global IT community.

The advantages:

• Diversity of perspectives: different ways of thinking lead to more creative hacking scenarios.
• Realistic tests: the attacks simulate real threats in real-life conditions.
• Early detection: vulnerabilities are discovered before they can be exploited.
• Building trust: transparency strengthens trust in digital processes and Swiss Post’s e-voting system.
  
  

Cybersecurity at Swiss Post: more than just tests

Public tests such as the PIT and events like BärnHäckt are important components of Swiss Post’s e-voting trial operation and cybersecurity strategy. But they are only one part of a comprehensive approach to security:

• Security by design: Security is part of the system architecture from the outset.
• Regular audits: Internal and external audits remain key.
• Security awareness: Training sessions raise the security awareness of everyone involved.
• Transparent communication: Openness in dealing with vulnerabilities creates trust.

Once the intrusion test is complete, Swiss Post will publish a report – as it has in previous years. For those interested, it details whether the system withstood the attacks, and how.