Testing by independent experts makes it possible to identify vulnerabilities and improve the e-voting system.

Confirmed vulnerabilities and more reports are listed on GitLab.

How you can contribute

  • It is preferable that you report your findings to us via GitLab, which provides you with an overview of reports that have already been submitted.
  • Alternatively, you can enter your report via an online form.
  • Please read the Code of Conduct before you submit a report to us.

Public bug bounty programme

We will launch the public bug bounty programme for the new e-voting system in the second half of 2021. Would you be interested in participating? If so, please contact us. We will inform you as soon as the programme starts.

I am interested

How we check reports

Reports are analysed in detail by our specialists and help us to improve the e-voting system. We ensure that we check and respond to every finding quickly.

The process for reporting a finding is described below.

  • We check reports meticulously for completeness and, if necessary, ask for more information.
  • A ticket is then created and analysed by the relevant specialist.
  • The person who reports the finding receives notification that their report is being processed.
  • As soon as we have completed the analysis and can confirm a finding, it is classified as a “confirmed finding” and is published on GitLab.
  • The “confidential” field must be selected for all reports that are classified as “high” or “critical”. Such reports are processed confidentially. In these cases, “coordinated vulnerability disclosure” applies.
  • Every person who reports a finding is free to submit a report to Swiss Post confidentially, regardless of the degree of severity.

Please adhere to our Code of Conduct.

How we publish reports

Coordinated vulnerability disclosure

In order to ensure the stability and security of the e-voting system, we have opted for coordinated vulnerability disclosure (CVD). You can support this process as follows:

  • Anyone is entitled to publish their findings: in the event of critical findings, please give us up to 90 days to analyse your report. As soon as our analysis is complete, we will give the green light for publication.
  • Swiss Post publishes findings on a regular basis and in a transparent manner on its website. The person who reports a finding will be acknowledged, but can also opt to stay anonymous.

CVE programme

Swiss Post supports common vulnerabilities and exposures (CVE). For confirmed critical vulnerabilities, we welcome the submission of a CVE and support the person who submits the report.