Skip to content

The source code of the future e-voting system is publicly accessible

Swiss Post is publishing the source code of its future e-voting system today, while also launching an accompanying public bug bounty programme. This means that experts from all over the world can test the system, including by simulating voting procedures, and can report any vulnerabilities they identify. The expert community can now also review the detailed description of the open-source verification software. Following this step, the disclosure of the beta version of the system is almost complete.

Swiss Post has been focusing on the development of its future e-voting system since 2019. Its team of specialists at the cryptography center in Neuchâtel is working on this project. In early 2021, it started the disclosure of the system’s beta version and has since published various system components in several stages. The international expert community has already started testing the system and has submitted various reports, all of which have enabled Swiss Post to implement improvements and rectify errors.

150,000 lines of source code

Swiss Post is now publishing the source code of its future e-voting system. This means that most system components have been made public and are available for unrestricted testing by external experts. Swiss Post has been improving and developing its source code since 2019, focusing on improving auditability and rectifying errors. The aim is to enable independent experts to understand the source code as quickly as possible. To ensure good auditability of the system, Swiss Post commissioned an independent evaluation. The publicly accessible report indicates that the system has very good auditability (4.4 points in total out of a maximum of 5).

All software is continually developed and improved. Swiss Post is adopting the approach of transparent software development, with all modifications displayed. Updates to the source code will now also be published regularly on GitLab, even between releases, to enable the community to follow developments with ease.

Rewards of up to 250,000 francs

Swiss Post is disclosing all information about the system on an ongoing basis. In this respect, the testing of the e-voting system differs from other bug bounty programmes. Experts can examine the underlying cryptographic principles for errors, as well as testing the source code. Swiss Post pays relatively high rewards of up to 250,000 francs for confirmed critical vulnerabilities in e-voting. Marcel Zumbühl, Chief Information Security Officer at Swiss Post, explains: “To attract leading experts and top hackers, we’re offering sizeable rewards for confirmed vulnerabilities in e-voting. While they are the industry norm by international standards, they are much higher than those of the average bug bounty programmes at Swiss Post and in Switzerland. This is due to the scope and complexity of the e-voting system.” Hackers and cryptographers have to spend much more time testing the e-voting system than they would other applications.

Swiss Post is developing open-source verification software

Swiss Post is developing software for the complete verification of votes at its e-voting center in Neuchâtel. This is a technical tool for vote checkers. The verification software can identify falsified or modified votes even if one or more of the Swiss Post servers on which the system runs has been infiltrated. Swiss Post is now making these software specifications public.

Swiss Post will publish the source code of the verification software under an expansive open-source licence over the coming months. This will give third parties the opportunity to redesign or further develop the software and then also distribute it on a commercial basis. This means that the cantons will in future be able to access verification software that can be developed and operated independently of the rest of the e-voting system.

 

Aktuelles aus dem Community-Programm
  • Seit Januar 2021 haben E-Voting-Expertinnen und -Experten aus der Schweiz und dem Ausland insgesamt 24 Meldungen zum Community-Programm und den publizierten Systemkomponenten auf GitLab eingegeben. Darunter sind zwei Befunde mit Schweregrad «hoch». Einer betrifft die individuelle Verifizierbarkeit, der andere das Stimmgeheimnis. Zu beiden Meldungen liegt die Lösung vor und ist auf der Fachplattform GitLab dokumentiert. Bisher ist kein kritischer Befund eingegangen. 
  • Am 19.08.2021 hat das zweite Fachwebinar zum zukünftigen E-Voting-System stattgefunden, an dem nationale und internationale Fachleute teilgenommen haben. Die Präsentation und Aufzeichnung des Anlasses sind online verfügbar.
Resultate aus dem privaten Bug-Bounty-Programm
Die Post startet Bug-Bounty-Programme jeweils mit einer kleinen Gruppe von interessierten Fachleuten und weitet den Teilnehmerkreis sukzessive aus, bis das Programm öffentlich wird. Am privaten Bug-Bounty-Programm zu E-Voting, das bereits letztes Jahr gestartet ist, waren knapp 800 Hunter beteiligt. Diese haben 39 Meldungen eingegeben, wovon neun bestätigt wurden. Dafür hat die Post 53 000 Franken an die Melderinnen und Melder ausbezahlt. Die Resultate des privaten Bug-Bounty-Programms sind auf GitLab einsehbar.

Subscribe to the blog

Sign up for our E-government blog and you’ll receive regular updates on our latest blog articles, expert opinions and industry trends.