YesWeHack, Europe’s leading Bug Bounty platform, is proud to partner with Swiss Post to review Switzerland’s future e-voting system. Recently, Swiss Post announced the publication of the revised source code and the launch of its public bug bounty program for the upcoming e-voting system for Switzerland. The security review is entering into a new phase, with the company inviting researchers worldwide to examine the underlying cryptographic principles for errors and test over 150,000 lines of dense code.
Swiss Post is Switzerland’s national postal organisation. Now the organisation is expanding its leadership by the digitalisation of the Swiss voting system.
E-voting was first introduced in Switzerland on a limited basis in 2003 as part of ongoing tests. E-voting systems must meet high requirements following federal legal provisions on security, reliability, voting secrecy, and verifiability. These form the framework for the system architecture. These systems need to withstand countless quality tests and simulated hacker attacks to be approved for real votes. Only a transparent e-voting solution can be successful in the long term. Hence, relying on cooperation with independent security experts to develop and improve the system continuously is crucial.
The disclosure of the future Swiss e-voting system with complete verifiability began in early 2021 and is conducted in phases. This was to ensure there was enough time to implement reported improvements. Such highly specific assets require unique skills, engaging the most trustable researchers, and only a rock-solid organisation can be entrusted with such a strategic project.
Last year, Swiss Post launched a private bug bounty program with YesWeHack, inviting over 800 global security researchers to test the e-voting system. Following its success, the organisation is moving to a public bug bounty program. To incentivise the security experts, Swiss Post will pay a relatively high reward of up to 230,000 Euros for confirmed critical vulnerabilities in e-voting.
Marcel Zumbühl, Chief Information Security Officer at Swiss Post, explains: “To attract leading experts and top hackers, we’re offering sizeable rewards for confirmed vulnerabilities in e-voting. While they are the industry norm by international standards, they are much higher than those of the average bug bounty programs at Swiss Post and in Switzerland. This is due to the scope and complexity of the e-voting system.”
In Switzerland, e-voting might be among the most vital technology components of the Swiss Confederation – as it supports the core of the Swiss direct democracy. Bug bounty programs are deemed best practice globally to support such initiatives, and organisations of all sizes are turning to them to secure their digital assets.
“The oldest, yet one of the most advanced democracies in the world relies on YesWeHack to secure this vital pillar of their democratic system. Crowdsourced security plays a crucial role in building citizen trust, and YesWeHack is proud to be the partner of choice to run Swiss Post’s bug bounty program. Without exaggerating and considering all aspects of the project, this is the most ambitious, strategic, and “sensitive” public bug bounty program ever launched. This is a strong and bold step forward. With electronic voting, the Swiss direct democracy and traditions of political rights will eventually move into the digital age in confidence,” said Guillaume Vassault-Houlière, the CEO and Co-Founder of YesWeHack.