Bug bounty programme to increase cyber-resilience in the Federal Administration
In order to increase the cybersecurity of the IT infrastructure and reduce cyber-risks effectively and cost-efficiently, bug bounty programmes are run within the Federal Administration, led by the National Cybersecurity Centre (NSCS) in collaboration with Bug Bounty Switzerland AG and the administrative units as the service users.
Bug bounty programmes bring in ethical hackers to identify, document and resolve potential vulnerabilities in IT systems and applications, as a complement to other security measures. Unlike their criminal counterparts, ethical hackers operate legally at the request of the parties involved. Following the pilot project by the National Cybersecurity Centre in 2021, the Confederation set up the platform for the bug bounty programme in August 2022.
Ethical hackers interested by joining future editions of the Confederation’s bug bounty programme:
Ethical hackers who are interested in testing Federal Administration systems by joining future editions of the Confederation’s bug bounty programme can register at:
Results of the bug bounty programme
The NCSC reports regularly on the results of the Federal Administration bug bounty programme. The Federal Administration programme has demonstrated that vulnerabilities can be efficiently identified and addressed by means of bug bounty programmes. The quality and content of the reports show that this method is a complement to other methods, as ethical hackers report vulnerabilities that cannot always be detected using conventional security tests.
eIAM bug bounty programmes
eIAM is the Federal Administration's access and permissions system for web applications and native mobile apps.
- National Cybersecurity Centre (NCSC)
- Federal Chancellery, Digital Transformation and ICT Steering (DTI) Sector – responsible for the eIAM service
- Federal Office of Information Technology, Systems and Telecommunication (FOITT) – the eIAM system operator
- Bug Bounty Switzerland AG
30 August to 11 October 2022
The chart below shows the breakdown of reports per week:
The confirmed vulnerabilities can be broken down as follows:
The eIAM bug bounty programme will now be paused, so that the results can be evaluated and any organisational adjustments can be implemented before any future exercise.