How you can contribute
- It is preferable that you report your findings to us via GitLab, where you will find an overview of the various reports and can participate in discussions with our e-voting team and the community.
- Alternatively, you can enter your report via an online form.
- As part of its bug bounty programme, Swiss Post rewards anyone who reports a confirmed vulnerability. You can apply retroactively for a reward for confirmed reports submitted via GitLab or the online form by entering them additionally on the bug bounty platform or submitting them directly on YesWeHack.
- Please read the Code of Conduct before you submit a report to us.
How we check reports
Reports are analysed in detail by our specialists and then help us to improve the e-voting system. We ensure that we check and respond to every finding quickly.
The process for reporting a finding is described below:
- We check reports meticulously for completeness and, if necessary, ask for more information.
- A ticket is then created and analysed by the relevant specialist.
- The person who reports the finding receives notification that their report is being processed.
- As soon as we have completed the analysis and can confirm a finding, it is classified as a “confirmed finding” and is published on GitLab.
- The “confidential” field must be selected for all reports that are classified as “high” or “critical”. Such reports are processed confidentially. In these cases, “coordinated vulnerability disclosure” applies.
- Every person who reports a finding is free to submit a report to Swiss Post confidentially, regardless of the degree of severity.
Please adhere to our Code of Conduct.
Swiss Post supports common vulnerabilities and exposures (CVE). For confirmed critical vulnerabilities, we welcome the submission of a CVE and support the person who submits the report.
How we reward reports
Swiss Post rewards only confirmed reports. Our rewards range from 100 to 230,000 euros, depending on the criticality of the vulnerability. The detailed rewards system can be found on YesWeHack.
To qualify for a reward, registration and identification on YesWeHack is required.
Swiss Post launches bug bounty programmes with a small group of specialists and gradually extends the group of participants until the programme is published. Over 1,500 hunters were invited to take part in the private bug bounty programme on e-voting, which was transferred to the public programme in early September. They submitted 39 reports, nine of which were confirmed. In return, Swiss Post paid out 49,450 euros to the people who submitted the reports.