Findings

Overview of findings

Testing by independent experts makes it possible to identify vulnerabilities and improve the e-voting system.

Confirmed vulnerabilities and more reports are listed on GitLab.

Reporting a finding

Reports are analysed in detail by our specialists and help us to improve the e-voting system. We make it our business to check and respond to every finding quickly.

The process for reporting a finding is described below.

  • We check reports meticulously for completeness and, if necessary, ask for more information.
  • A ticket is then created which is analysed by the relevant specialist.
  • The person reporting the finding receives notification that their report is being processed.
  • As soon as we have completed the analysis and can confirm a finding, it is classified as a “confirmed finding” and is published on GitLab.
  • All reports classified as “high” or “critical” must be marked as confidential at the time of reporting, and will be processed confidentially. In this case, “coordinated vulnerability disclosure” applies.
  • Every person reporting a finding is free to submit a report to Swiss Post confidentially, regardless of the degree of severity.

Please adhere to our Code of Conduct.

Coordinated Vulnerability Disclosure

In order to ensure the stability and security of the e-voting system, we have opted for coordinated vulnerability disclosure (CVD). You can support this process as follows:

  • Anyone is entitled to publish their findings: in the event of critical findings, please give us up to 90 days to analyze your report. As soon as our analysis is complete, we will give the green light for publication.
  • Swiss Post regularly publishes findings in a transparent manner on its website. The person reporting a finding will be acknowledged, but can also opt to stay anonymous.

How to report your finding

There are two possible means of sending us a report:

  • Via GitLab
  • Using the online form

GitLab

It is preferable that you report your findings to us via GitLab. It provides you with an overview of which reports have already been submitted. You can log in using your GitLab account. If you do not have a GitLab account, you can register or log in with user data from accepted platforms such as Google or Twitter.

Continue to GitLab

Online form

  • Attachment (optional)

    Current document: - Delete file

Defining severity

The relevance of an incident can be classified as critical, high, medium or low. A description of the classification of incidents can be found below.

  • Critical: report with critical or blocking issue
  • High: report with urgent priority, important and time-critical finding
  • Medium: report with standard priority, important finding
  • Low: report with no impact on functionality or data (e.g. layout errors or spelling mistakes).

CVE programme

Swiss Post supports common vulnerabilities and exposures (CVE). For confirmed critical vulnerabilities, we welcome the submission of a CVE and support the person submitting the report.