How you can contribute
How we check reports
Reports are analysed in detail by our specialists and help us to improve the e-voting system. We ensure that we check and respond to every finding quickly.
The process for reporting a finding is described below.
- We check reports meticulously for completeness and, if necessary, ask for more information.
- A ticket is then created and analysed by the relevant specialist.
- The person who reports the finding receives notification that their report is being processed.
- As soon as we have completed the analysis and can confirm a finding, it is classified as a “confirmed finding” and is published on GitLab.
- The “confidential” field must be selected for all reports that are classified as “high” or “critical”. Such reports are processed confidentially. In these cases, “coordinated vulnerability disclosure” applies.
- Every person who reports a finding is free to submit a report to Swiss Post confidentially, regardless of the degree of severity.
Please adhere to our Code of Conduct.
How we publish reports
Coordinated vulnerability disclosure
In order to ensure the stability and security of the e-voting system, we have opted for coordinated vulnerability disclosure (CVD). You can support this process as follows:
- Anyone is entitled to publish their findings: in the event of critical findings, please give us up to 90 days to analyse your report. As soon as our analysis is complete, we will give the green light for publication.
- Swiss Post publishes findings on a regular basis and in a transparent manner on its website. The person who reports a finding will be acknowledged, but can also opt to stay anonymous.
Swiss Post supports common vulnerabilities and exposures (CVE). For confirmed critical vulnerabilities, we welcome the submission of a CVE and support the person who submits the report.