Swiss Post published all the key components and documents for its fully verifiable e-voting system in 2021, and has invited IT experts from all over the world to check the system for vulnerabilities as part of the e-voting community programme. This is a proven and effective cybersecurity tool that Swiss Post relies on in addition to internal and mandated security checks. Numerous cryptographers, ethical hackers and computer specialists have since scrutinized the system and sent over 300 reports to Swiss Post. Confirmed findings are categorized into the severity levels “low”, “medium”, “high” and “critical”. Five findings with a high degree of severity, which have since been rectified by Swiss Post, were included in the public scrutiny. No critical findings have been reported to date.
Rewards in recognition of the effort
Security checks are time-consuming. This is why Swiss Post offers the prospect of financial rewards for ethical hackers who investigate systems without a contractual relationship in what is known as a bug bounty programme. As part of this programme, computer experts are invited to check IT systems for security vulnerabilities. In return, they receive a reward for any vulnerabilities discovered. Since the start of the e-voting programme, Swiss Post has paid out around 200,000 francs for confirmed vulnerabilities. The public scrutiny is now entering a new round and Swiss Post is increasing the rewards for vulnerabilities in e-voting at all severity levels (CVSS scale) by 50 to 100 percent.
Speed and endurance pay off
The new rewards are available for the first time in this year’s public intrusion test, which starts today. The test runs until 3 July and is aimed at interested IT professionals from all over the world. It is really worthwhile for them to start in-depth tests quickly, as only those who are the first to report a finding can expect a reward. Furthermore, the three fastest ethical hackers in the current intrusion test will receive a bonus of around 3,000 francs in addition to the regular reward based on the severity if they identify an area of improvement or uncover a security vulnerability.
Third public intrusion test in a row
In an intrusion test, also known as a pentest in specialist circles, ethical hackers attack the system in its IT infrastructure in order to detect security vulnerabilities. The legal basis requires repeated execution of such public security tests for the trial operation of e-voting.
Swiss Post has subjected its fully verifiable e-voting system to an annual public intrusion test since 2022. In the last round in summer 2023, 2,600 interested parties participated and put the system to the test with over 50,000 attacks. Swiss Post was able to confirm a finding of “low” severity.
Why are public security audits effective for more cybersecurity? Which additional measures are recommended?
Find out useful tips in the data security whitepaper: