Overview of findings
Reporting a finding
Reports are analysed in detail by our specialists and help us to improve the e-voting system. We make it our business to check and respond to every finding quickly.
The process for reporting a finding is described below.
- We check reports meticulously for completeness and, if necessary, ask for more information.
- A ticket is then created which is analysed by the relevant specialist.
- The person reporting the finding receives notification that their report is being processed.
- As soon as we have completed the analysis and can confirm a finding, it is classified as a “confirmed finding” and is published on GitLab.
- All reports classified as “high” or “critical” must be marked as confidential at the time of reporting, and will be processed confidentially. In this case, “coordinated vulnerability disclosure” applies.
- Every person reporting a finding is free to submit a report to Swiss Post confidentially, regardless of the degree of severity.
Please adhere to our Code of Conduct.
Coordinated Vulnerability Disclosure
In order to ensure the stability and security of the e-voting system, we have opted for coordinated vulnerability disclosure (CVD). You can support this process as follows:
- Anyone is entitled to publish their findings: in the event of critical findings, please give us up to 90 days to analyze your report. As soon as our analysis is complete, we will give the green light for publication.
- Swiss Post regularly publishes findings in a transparent manner on its website. The person reporting a finding will be acknowledged, but can also opt to stay anonymous.
How to report your finding
There are two possible means of sending us a report:
- Via GitLab
- Using the online form
The relevance of an incident can be classified as critical, high, medium or low. A description of the classification of incidents can be found below.
- Critical: report with critical or blocking issue
- High: report with urgent priority, important and time-critical finding
- Medium: report with standard priority, important finding
- Low: report with no impact on functionality or data (e.g. layout errors or spelling mistakes).
Swiss Post supports common vulnerabilities and exposures (CVE). For confirmed critical vulnerabilities, we welcome the submission of a CVE and support the person submitting the report.