First bug bounty programme in the Federal Administration

10.05.2021 - The Federal Administration and Bug Bounty Switzerland GmbH will launch a joint pilot project today. The aim of the two-week test, which will be overseen by the NCSC, is to gather initial experience with bug bounty programmes and assess their future use in relation to the security of infrastructures in administrations and companies.

The Federal Administration wants to use the possibilities offered by bug bounty programmes while investigating the extent to which they can deliver a strategic contribution to the security of infrastructures in administrations and companies.

Pilot project launched

Accordingly, the National Cybersecurity Centre (NCSC) is carrying out its first joint project in the Federal Administration with Bug Bounty Switzerland GmbH (BBS). The test begins on 10 May 2021 and will run for two weeks. Under the bug bounty programme, "ethical hackers" – hackers who, legally and within clearly defined boundaries, search for vulnerabilities – are invited by an organisation to seek out the weak points (bugs) in its IT systems. For every confirmed bug they find, the successful hacker receives a reward (bounty), graded according to the severity of the bug.

Clearly defined project parameters

The federal pilot project has clearly defined parameters. Two IT systems in the Federal Department of Foreign Affairs (FDFA) and one in Parliamentary Services have been chosen as targets. Moreover, in this first test the circle of bug bounty hunters has been limited to ethical hackers who are known to BBS or the NCSC and have already proved their worth in other projects. Since the Federal Administration – like other regulated industries – has strict requirements on data protection and requires a data location in Switzerland, over the past few months BBS, with the technical assistance of Microsoft Switzerland, has developed a bug bounty platform that is run entirely within Switzerland. This platform is based on state-of-the-art cloud technology and meets the requirements of the Confederation and other regulated industries such as critical infrastructures.

The bug bounty programme will be run by BBS, although it will be closely monitored by the NCSC and representatives from the FDFA and Parliamentary Services. The test should provide a basis for discussing the future use of bug bounty programmes.

Presentation by Bug Bounty Switzerland

In consultation with the participating federal offices, BBS will present the project to interested journalists on Thursday, 20 May 2021, in Bern. Those interested should contact:
Bug Bounty Switzerland GmbH at or +41 79 701 43 41.