Publications and source code
As part of its cybersecurity strategy, Swiss Post focuses on the public review of applications and services. This is why it runs bug bounty programmes to reward hackers and cryptographers financially for their work of scrutinizing the system and uncovering any confirmed vulnerabilities. In 2021, Swiss Post published all the core, security-relevant components of its e-voting system, and launched its bug bounty programme for an indefinite period. This allows specialists from all over the world to analyse, scrutinize and test the system. Swiss Post continues to work on its e-voting system to ensure it is always protected against cyberattacks.
Complete disclosure of the new e-voting system
In 2021, Swiss Post published its new, fully verifiable e-voting system in multiple stages as part of a community programme so that independent experts could test it. Swiss Post also launched a public bug bounty programme for e-voting for an indefinite period of time.
More information on the disclosure can be found on the e-voting community website.
The Federal Council has granted four cantons an initial licence for the e-voting trial operation. Swiss Post’s e-voting system will be used. The e-voting trial operation is authorized until May 2025 in the Cantons of Basel-Stadt, St. Gallen and Thurgau and until March 2026 in the Canton of Graubünden.
Public intrusion tests
Public intrusion test 2023
Ethical hackers could put the e-voting infrastructure to the test from 8 to 31 July 2023. Swiss Post pays rewards of up to 230’000 euros for confirmed findings. All reports received are listed on the specialist platform GitLab.
Public intrusion test 2022
Swiss Post’s final report can be found here
Public intrusion test 2019
During the four-week stress test, around 3,200 international IT experts inflicted targeted attacks on the new e-voting system. After the completion of the intrusion test, there were no manipulated votes in the electronic ballot box. The hackers did not manage to infiltrate the e-voting system. Attempts at overloading the system through DDoS attacks were unsuccessful. The hackers submitted a total of 173 findings. The Federal Chancellery, cantons and Swiss Post confirmed 16 of them. They all come under the lowest classification level of “Best Practices”.
Swiss Post’s final report summarizes the results and findings of the intrusion test.
Swiss Post’s final report can be found here.
The Confederation’s final report can be found here.
Go to the previous system from 2019