In order to increase its cyber security and reduce cyber risks effectively and cost-efficiently, the Federal Administration runs bug bounty programmes under the leadership of the National Cyber Security Centre (NCSC) and in cooperation with other administrative units and Bug Bounty Switzerland AG.
The idea behind bug bounty programmes is to work with ethical hackers to identify, document and fix vulnerabilities in IT systems and applications in a way that complements other existing cyber security measures. Unlike malicious hackers, ethical hackers follow the law and act with the consent of those affected.
The NCSC ran a pilot project in 2021, after which the bug bounty platform was procured in August 2022. Since then, the NCSC has enabled ethical hackers to contribute to federal security and expose vulnerabilities through bug bounty programmes.
Ethical hackers interested in participating in a bug bounty programme and testing the Federal Administration's systems can register at the following link:
Current figures – Bug bounty programme results
The NCSC provides regular updates on the results of its bug bounty programmes. The experiences have been positive: the number of reports made and their content clearly show that bug bounty programmes can help to find vulnerabilities that may not be detected with conventional security testing methods. This proves that these programmes can be a useful and effective complement to conventional IT security measures and audits in the Federal Administration.
Note on the graphics
- Total: Statistics since the start of the first bug bounty programme on 30 August 2022.
- Date: Statistics for the last twelve months, by quarter.
- Hackers: Number of ethical hackers who reported at least one vulnerability.
- Reported Findings: Number of reported vulnerabilities. These may have since been evaluated and resolved (i.e. accepted or rejected), or may still be pending.
- Rejected: Number of hacker-identified vulnerabilities that were evaluated and rejected (e.g. because they were duplicates or invalid).
- Low/Medium/High/Critical: Number of vulnerabilities rated by severity. The rating is based on the internationally recognised CVSS standard. Other criteria, such as the vulnerability’s potential impact on the Federal Administration, are taken into account in the final severity rating.
- Reward: Sum of the rewards (i.e. bounties) paid out to the ethical hackers. The reward depends on the severity of the vulnerability reported.
Note: The statistics are a snapshot in time. How a vulnerability report is rated may be subject to change.
Table: Reported vulnerabilities and their ratings in the past 12 months.
| Date | Reported Findings | Rejected | Low | Medium | High | Critical | Reward |
|---|---|---|---|---|---|---|---|
| 2024 Q1 | 3 | 3 | 0 | 0 | 0 | 0 | 0 |
| 2023 Q4 | 116 | 51 | 6 | 35 | 14 | 10 | 61'400 |
| 2023 Q3 | 76 | 24 | 4 | 26 | 6 | 16 | 68'000 |
| 2023 Q2 | 12 | 7 | 0 | 5 | 0 | 0 | 2'100 |
Total reports since the start of the bug bounty programmes in August 2022
| Hackers | Reported Findings | Rejected | Low | Medium | High | Critical | Reward |
|---|---|---|---|---|---|---|---|
| 40 | 246 | 103 | 15 | 78 | 24 | 26 | 143'350 |
Further Information
Last modification 11.04.2024
