Last week, Swiss Post confirmed the first finding in the intrusion test. It has a severity of “low”. The person who reported the finding is Vladyslav Zubkov, 22 years old and a cybersecurity student at the Swiss Federal Institute of Technology (ETH) in Zurich. As the fastest hacker, he has received the bonus of €3,000, in addition to the reward of €1,000 for the finding. In an interview with Swiss Post, he explains how he became an ethical hacker and how he intends to focus his professional future on improving cybersecurity – including in his home country, Ukraine.
The finding I have reported is not a vulnerability that a hacker could exploit 1:1. There was an HTTP header that was not properly validated. It was found during a standard check of web security, as such points are checked by default. That’s why I was almost surprised when the finding was confirmed. I thought that someone else would surely be quicker.
Last year, I was doing a Master’s student project at the Federal Institute of Technology in Lausanne and wrote a paper on e-voting. In this context, I examined the system and found various improvements and weaknesses, which were reported in Swiss Post’s bug bounty programme. During the public intrusion test, I took a closer look again at the source code and the specification. In my view, the system has been greatly improved since 2022, and my findings have been addressed.
At first, it was just a student job for me. But when I got to know the project a little better, it piqued my interest: the system is very important from a political and social perspective. I think it’s great to be able to contribute to the security of a system that is so important for Swiss democracy and society. In addition, I believe Swiss Post’s e-voting bug bounty programme is also unique.
I’ve already taken part in lots of hacking events and bug bounty programmes run by major international companies. For me, Swiss Post’s e-voting programme stands out for various reasons: the topic itself has political relevance. The most important system components are disclosed, i.e. almost everything can be checked. It is also well documented how the system can be installed on the user’s laptop to simulate attacks.
As a bounty hunter, Swiss Post fulfils the three most important criteria for me: it handles findings in depth and has short response times, it pays good rewards, and there are always new aspects to explore in the programme.
It was almost six years ago. I was just under 17 at the time. I was already studying Computer Science at Odesa National Polytechnic University in Ukraine. Technically, I had increasingly turned to cybersecurity. So, I found out about the CTF competitions, penetration testing, bug bounty programmes, and I started ethical hacking as well as studying.
First, I’ll complete my Master’s degree. Afterwards, I would like to focus on the security of IT systems. Whether it’s as an independent researcher or whether I’m employed as an IT security expert in a start-up or an established company is currently of secondary importance to me. What’s important to me is that security constantly improves in systems that private individuals and companies use. In the future, I would also like to contribute to the digitalization of Ukraine in the context of cybersecurity.
As for me, when it comes to government technology, the issue of trust is the key: when software developers like Swiss Post disclose their systems, specialists like me can review and test them. This makes a significant contribution to building trust in systems as complex as e-voting. In my opinion, Switzerland, and Swiss Post as a system provider, are going in exactly the right direction in that regard.
Swiss Post’s new e-voting system enjoyed a successful premiere in the June 2023 votes in the Cantons of Basel-Stadt, St Gallen and Thurgau. However, even after its initial deployment, Swiss Post is continuing to develop the system, because security is the top priority in e-voting. The inclusion of ethical hackers in security audits is a particularly effective cybersecurity measure.Swiss Post has published the main components and documentation since 2021. It updates these on an ongoing basis so that specialists can check them. Swiss Post also conducts regular public intrusion tests, in which ethical hackers can attack the voting platform and look for vulnerabilities.
Swiss Post rewards confirmed findings with up to 230,000 euros, depending on the severity of the finding. In the intrusion test, it also offered the first three hackers who report a confirmed finding a bonus of 3,000 euros.