18.10.2022 - Since August 2022, a central bug bounty programme has been available to the entire Federation Administration. This has now been used on productive systems for the first time. The National Cybersecurity Centre (NCSC), the Federal Chancellery's Digital Transformation and ICT Steering (DTI) Sector and the Federal Office of Information Technology, Systems and Telecommunication (FOITT), working together with Bug Bounty Switzerland AG, arranged for the Federal Administration's central access system, eIAM, to be tested for potential vulnerabilities by ethical hackers.
The access and permissions system of the Federal Administration is the Confederation’s central login infrastructure. Used by more than 1,000 applications, eIAM is used to carry out an average of 550,000 logins per day. The security of this infrastructure is therefore critical for the Confederation.
Bug bounty programmes bring in ethical hackers to identify, document and resolve potential vulnerabilities in IT systems and applications, as a complement to other security measures. Unlike their criminal counterparts, ethical hackers operate legally at the request of the parties involved. Following on from last year’s successful pilot project run by the National Cyber Security Centre (NCSC), eIAM has now been put through a review. Thirty-two ethical hackers accepted the invitation to participate in a bug bounty programme that took place from 30 August to 11 October.
The severity of vulnerabilities was classified according to an internationally recognised system: low (fix is optional), medium (fix provided with next release), high (fix required urgently) and critical (fix required immediately). A total of 28 potential vulnerabilities were identified, with 14 of them confirmed. All vulnerabilities were analysed and processed immediately. One of the vulnerabilities was classified as high severity, nine were considered to be of medium severity and four were classified as low. No critical security loopholes were found. A total of CHF 5,700 was awarded to the ethical hackers as a reward for the confirmed vulnerabilities.
Information about Bug bounty programme eIAM:
Ethical hackers interested by joining future editions of the Confederation’s bug bounty programme
Ethical hackers who are interested in testing Federal Administration systems by joining future editions of the Confederation’s bug bounty programme can register at:
Further information
Last modification 18.10.2022
