Bug bounty programme to increase cyber-resilience in the Federal Administration

In order to increase its cyber security and reduce cyber risks effectively and cost-efficiently, the Federal Administration runs bug bounty programmes under the leadership of the National Cyber Security Centre (NCSC) and in cooperation with other administrative units and Bug Bounty Switzerland AG.

The idea behind bug bounty programmes is to work with ethical hackers to identify, document and fix vulnerabilities in IT systems and applications in a way that complements other existing cyber security measures. Unlike malicious hackers, ethical hackers follow the law and act with the consent of those affected.

The NCSC ran a pilot project in 2021, after which the bug bounty platform was procured in August 2022. Since then, the NCSC has enabled ethical hackers to contribute to federal security and expose vulnerabilities through bug bounty programmes.

Ethical hackers interested in participating in a bug bounty programme and testing the Federal Administration's systems can register at the following link: 

www.bugbounty.ch/ncsc

Current figures – Bug bounty programme results

The NCSC provides regular updates on the results of its bug bounty programmes. The experiences have been positive: the number of reports made and their content clearly show that bug bounty programmes can help to find vulnerabilities that may not be detected with conventional security testing methods. This proves that these programmes can be a useful and effective complement to conventional IT security measures and audits in the Federal Administration.

Note: The statistics are a snapshot in time. How a vulnerability report is rated may be subject to change.

Table: Reported vulnerabilities and their ratings in the past 12 months.

Date Reported Findings Rejected Accepted Low Medium High Critical Reward
2025 Q1 11
(100 %)
7
(64%)
4
(36%)
2 1 1 0 2'000
2024 Q4 0
(100%)
0
(0%)
0
(0%)
0 0 0 0 0
2024 Q3 163
(100%)
42
(26%)
118
(74%)
22 47 27 22 124'800
2024 Q2 205
(100%)
84
(41%)
121
(59%)
19 55 24 23 126'100

Total reports since the start of the bug bounty programmes in August 2022

Hackers Reported Findings Rejected Accepted Low Medium High Critical Reward
52 675 238
(35%)
437
(65%)
58 182 76 71
396'250
Accepted: Anzahl der Schwachstellen, die nach der Analyse und Prüfung als gültig akzeptiert wurden und in der Folge Massnahmen zur Behebung oder Verbesserung der Situation zur Folge haben

Further Information

Last modification 11.04.2025

Top of page

https://www.ncsc.admin.ch/content/ncsc/en/home/infos-fuer/infos-it-spezialisten/themen/bug-bounty-programme.html