Since the beginning of 2021, Swiss Post has been disclosing the beta version of its e-voting system in stages. The last time it published the source code was in September. At the same time, Swiss Post also launched the open-ended public bug bounty programme for the e-voting system. Depending on the severity, it will reward findings with up to 250,000 francs. This means that experts from all over the world can test the system, including by simulating voting procedures, and can report any improvements to Swiss Post. The aim is to find vulnerabilities early on with the participation of international experts, to correct them and thus continuously develop the system. The consciously sought-after external view of independent experts forms part of the mosaic in the development of a secure system. At the same time, public review is expected to become a federal requirement for e-voting systems in Switzerland that can be authorized for legally defined trial operation and used in cantons that are interested in the system.
Since July 2021, independent experts appointed by the Confederation have also been examining the beta version of Swiss Post’s e-voting system in parallel with the public review. The review will be completed with the publication of reports. Swiss Post will be notified in advance of the initial findings in order to ensure the rapid further development of the e-voting system. Swiss Post will also publish the resulting corrections on GitLab and on this website.
The findings of the e-voting system are classified in four severity categories (low, medium, high, critical). A description of the severity categories can be found on the e-voting community website.
So far, several hundred people, including specialists from science as well as ethical hackers, have participated in Swiss Post’s community programme on e-voting. Swiss Post has received 111 reports, including three findings with high severity. Two of them were received before the start of the public bug bounty programme. Swiss Post’s e-voting team discovered a new finding in October thanks to the analysis of the Confederation’s independent experts. Swiss Post has proposed solutions for all three findings, and in one case has already implemented the correction in the system. No findings of the highest severity (critical) have been received yet.
Swiss Post understands cyber security as a continuous participatory process. It is therefore pleased with the lively participation of specialists from around the world in its e-voting community programme. In this way, public scrutiny can have its full effect as a measure to keep the security of a system at the highest possible level at all times. Swiss Post corrects all serious findings before making its e-voting system available for use in the cantons.
In this blog post, you will find an overview of how public verifications are progressing and a regularly updated description of all confirmed findings, the severity of which Swiss Post classifies as high or critical after an in-depth technical analysis.