“Digital security requires openness – and the hacker community”

What role does the hacker community play in strengthening digital trust in democratic processes such as e-voting?

The hacker community plays a key role in the security of digital systems. It complements existing protective measures, uncovers vulnerabilities and strengthens trust – especially in sensitive applications such as e-voting. In contexts such as electronic voting and digital trust more broadly, this process offers citizens an important guarantee: that all possible techniques and resources have been mobilized to ensure maximum security. Given the challenges and potential threats, the expectations are, of course, very high.

Selim Jaafar has been working at YesWeHack since 2019, where he is VP for Customer Success, responsible for the development and support of bug bounty programmes for customers worldwide. He holds a Bachelor’s and Master’s degree in Information Systems Management from the University of Paris-Dauphine and started his career in IT security and project management at Natixis, followed by a job as a consultant at Harmonie Technologie. At YesWeHack, he helps organizations – including public institutions – to introduce and optimize security initiatives, and works to ensure transparent and effective collaboration with the global hacker community.

Why are public intrusion tests so important for organizations that handle sensitive digital services, such as Swiss Post?

Bug bounty programmes enable in-depth security testing that goes beyond traditional testing methods. They mobilize many experts over a longer period of time and detect vulnerabilities more quickly and comprehensively. Public programmes such as e-voting increase transparency, invite broad participation and send a clear signal: security is the top priority.

How has the YesWeHack approach to public intrusion testing developed over the years, particularly in relation to systems for handling sensitive data?

YesWeHack works with authorities and on sensitive projects all over the world to strengthen digital security through bug bounty programmes. With Swiss Post’s e-voting programme, the source code and test environment were made public and high rewards were offered – this enabled the e-voting programme to attract particularly qualified hackers. The broad communication also motivates researchers outside the hacker community and shows how such programmes contribute to security and trust in digital services.

In your opinion, what distinguishes Swiss Post’s security initiative from other public bug bounty programmes in Switzerland and abroad?

The uniqueness lies primarily in the system itself – in its complexity and the effort required to make it accessible to a large number of testers under near-real conditions. This includes creating and maintaining a scalable, dedicated environment that provides self-service access to large quantities of fake voting cards, enabling a wide range of tests. Secondly, the financial rewards are above the industry average. Precise scenarios are also provided to explain the specific risk model for e-voting. Another prominent feature is transparency: results are systematically published, including the vulnerabilities that have now been remedied. Together with the publication of the source code, this ensures greater verifiability and strengthens trust. Since last year, Swiss Post has made all of its digital applications available for security testing as part of the bug bounty programme. Finally, the programme’s strength lies in the breadth of areas it covers. Such depth is rare in bug bounty programmes. 

What advice would you give to other public institutions or companies considering introducing a public intrusion test or bug bounty programme?

Bug bounty programmes pay off – even on a smaller scale. They help organizations of all sizes to protect their systems in a targeted manner. YesWeHack offers support, experience and suitable solutions. Bug bounty has long been standard and it is well worth getting started.

What has been the greatest success so far with the public intrusion test on e-voting?

For me, the greatest success is that the intrusion test has become a recurring exercise. Swiss Post and its partners are determined to carry out the tests year after year in the best possible conditions. This commitment alone is a major achievement. What’s more, I see progress every year: better organization, stronger support for testers, broader communication and increased participation. The scope and impact of the initiative continue to grow.

How can the success of Swiss Post’s intrusion test be measured – for example, by data traffic or compared to similar tests?

Metrics are difficult to compare – especially in complex systems such as e-voting. Criticism of rewards or ambitions often misses the context: the e-voting programme is one of the most demanding in the world – with a high level of transparency, a clear methodology and continuous development.