Bug bounty programme to increase cyber-resilience in the Federal Administration

Languages

Service navigation

Search

Navigation

Bug bounty programme to increase cyber-resilience in the Federal Administration

In order to increase the cybersecurity of the IT infrastructure and reduce cyber-risks effectively and cost-efficiently, bug bounty programmes are run within the Federal Administration, led by the National Cybersecurity Centre (NSCS) in collaboration with Bug Bounty Switzerland AG and the administrative units as the service users.

Bug bounty programmes bring in ethical hackers to identify, document and resolve potential vulnerabilities in IT systems and applications, as a complement to other security measures. Unlike their criminal counterparts, ethical hackers operate legally at the request of the parties involved. Following the pilot project by the National Cybersecurity Centre in 2021, the Confederation set up the platform for the bug bounty programme in August 2022.

Ethical hackers interested by joining future editions of the Confederation’s bug bounty programme:
Ethical hackers who are interested in testing Federal Administration systems by joining future editions of the Confederation’s bug bounty programme can register at:
www.bugbounty.ch/ncsc

Results of the bug bounty programme

The NCSC reports regularly on the results of the Federal Administration bug bounty programme. The Federal Administration programme has demonstrated that vulnerabilities can be efficiently identified and addressed by means of bug bounty programmes. The quality and content of the reports show that this method is a complement to other methods, as ethical hackers report vulnerabilities that cannot always be detected using conventional security tests.

eIAM bug bounty programmes

eIAM is the Federal Administration's access and permissions system for web applications and native mobile apps.

Those involved:

  • National Cybersecurity Centre (NCSC)
  • Federal Chancellery, Digital Transformation and ICT Steering (DTI) Sector – responsible for the eIAM service
  • Federal Office of Information Technology, Systems and Telecommunication (FOITT) – the eIAM system operator
  • Bug Bounty Switzerland AG

Period:

30 August to 11 October 2022

Vulnerabilities detected:

The chart below shows the breakdown of reports per week:

The confirmed vulnerabilities can be broken down as follows:

The eIAM bug bounty programme will now be paused, so that the results can be evaluated and any organisational adjustments can be implemented before any future exercise.

Further Information

FAQ

Q&A - Federal bug bounty programme (PDF, 212 kB, 23.12.2022)

Press releases

18.10.2022

Bug bounty programme carried out for the Confederation's eIAM central access system

03.08.2022

Federal Administration procures platform for bug bounty programmes

Links

First bug bounty programme in the Federal Administration

Federal Administration procures platform for bug bounty programmes

Successful bug bounty pilot project in Federal Administration

Results of the COVID-19 certificate security tests

Last modification 23.12.2022

Top of page

https://www.ncsc.admin.ch/content/ncsc/en/home/infos-fuer/infos-it-spezialisten/themen/schwachstelle-melden/bug-bounty-programme.html