Regarding the Public Security Test (PST) of the Covid Certificate
- The goal of the Public Security Test (PST) is to validate the security and to build trust in the Covid Certificate before the public rollout.
- The Swiss Federation wants to be as transparent as possible about the functioning and the security of the Covid Certificate. This is why all components are open source and a public security test is performed.
- The National Cyber Security Centre (NCSC) is the single point of contact (SPOC) when challenging the Covid Certificate.
- The scope of the PST is strictly limited to the dedicated Covid Certificate. Any other services and infrastructures are off-limits.
- By participating in the PST, you agree to be bound to these Rules of Engagement.
Organization of the PST
- The PST is time-limited in order to enable the public rollout. It starts 31.05.2021. The NCSC will end on its own decision, taken depending on the amount of findings over time. However, submissions will also be reviewed later, in order to continuously improve the Covid Certificate system also in the future, for such submissions, the same rules apply.
- There is no registration required or possible for the PST.
- There is no compensation for participating in the PST and/or for submitting findings.
- NCSC serves as single point of contact for all participants. NCSC is mainly responsible for issue management, classification of findings and any queries you have regarding the PST.
- The Swiss Confederation provides a Covid Certificate dedicated to fight the Covid-19 pandemic.
- Participants who have found or believe they have found a vulnerability are asked to submit a report via following NCSC Website.
Scope of the test
- The scope of the PST is a security test of the Covid Certificate.
- You will find the documentation related to the Covid-19 certificate system in Switzerland on Github:
- Any systems that are not clearly identifiable as part of the dedicated Covid Certificate are not in-scope. If you are unsure, then please stop your activity and ask NCSC first.
- Attacks and scans that can harm other operations and services of the Swiss Confederation are therefore strictly forbidden. If you are unsure, then please stop your activity and ask NCSC first.
Everything that is not defined as in-scope is out-of-scope by default. In particular, the following items are out-of-scope:
- All attacks that fall in the broad denial of service (DDoS) and resource starvation categories.
- Social engineering, phishing or malware attacks on operators or employees of the Swiss Confederation or the Cantons.
- Physical attacks on people, buildings and devices.
- Attacks on the (GitHub) code repositories or the report submission website of NCSC
- Lateral movements after a compromise of a system.
If you are unsure, then please ask NCSC first.
- Submissions of vulnerabilities need to be done via respective form on the NCSC website.
- Submissions to other parties or through other channels will not be reviewed and will therefore not contribute to the PST.
- Submissions must contain:
- A basic description of the issue in question
- Affected components (e.g. Android App, Backend, etc.)
- A step-by-step reproduction guide of the finding
- A tentative risk-classification of the issue
- Submissions ideally contain: accompanying evidence, e.g. screenshots, videos, proof of concept code, dumps, etc.
- If you upload attachments, please provide either pure ASCII text (e.g. Markdown) or PDF-A.
- If possible: Please provide a mean of contacting you in case of any questions from the developers, If you have a PGP key or S/MIME certificate, you may want to provide that as well in order to communicate securely.
Responsible disclosure policy
- Already submitted findings are published on NCSC's website on a regular basis for transparency reasons.
- Participants are allowed to publish their findings after the respective finding is published on NCSC’s website.
- When findings are published on NCSC's website, the original reporter of the finding will be credited if the reporter agrees to such publication. It is possible to request to remain anonymous or to use a pseudonym.
Consequences of complying with the Rules of Engagement
The Swiss Confederation, represented by the NCSC
- Interprets activities by participants that comply with the Rules of Engagement as authorized access under the Swiss Penal Code. This includes Swiss Penal Code paragraphs 143, 143bis and 144bis.
- Will not take civil action or file a complaint with law enforcement authorities against participants for accidental, good faith violations of the Rules of Engagement.
- Will not file a complaint against participants for trying to circumvent the security measures deployed in order to protect the Covid certificate system in-scope as outlined above.
- For breaches of the Rules of Engagement, the Swiss Confederation reserves the right to file criminal charges.
Applicable law and jurisdiction
The Rules of Engagements are governed by and construed in accordance with the laws of Switzerland.
Berne, 31st May 2021