01.07.2021 - From 10 to 21 May 2021, the NCSC conducted a bug bounty pilot project in collaboration with Bug Bounty Switzerland GmbH, the Federal Department of Foreign Affairs (FDFA) and Parliamentary Services (PS). The project was very successful and the lessons learned are to be incorporated into the implementation of further bug bounty programmes in the Federal Administration.
The purpose of bug bounty programmes is to identify, document and remedy any vulnerabilities in IT systems and applications in cooperation with ethical hackers. A total of 15 ethical hackers commissioned by the Confederation took part in this pilot project.
Ten security vulnerabilities discovered
For the pilot project, ethical hackers scanned a total of six IT systems of the FDFA and Parliamentary Services for any security vulnerabilities. Overall, ten security vulnerabilities were reported to the NCSC. One of these turned out to be critical, seven were classified as medium and two as low. All of the vulnerabilities were immediately eliminated by the competent providers. The ethical hackers then verified and confirmed the successful elimination of the vulnerabilities.
Positive conclusion
The pilot project demonstrated that vulnerabilities in IT systems and applications can be efficiently identified and remedied by means of bug bounty programmes. The return on investment was found to be high. A bug bounty programme for the Federal Administration, operated by the NCSC, makes an important contribution to reducing the Confederation's cyber-risk exposure.
Based on the experience gained with the pilot project and the lessons learned by all those involved, the NCSC intends to continuously expand the bug bounty programme to as many Federal Administration systems as possible.
Consequently, the procurement process is to be launched as soon as possible. In the meantime, several other companies in Switzerland also offer bug bounty programmes in addition to Bug Bounty Switzerland GmbH. In order to ensure neutrality in the procurement process, Florian Schütz, the Federal Cybersecurity Delegate, is thus stepping down from the Advisory Board of Bug Bounty Switzerland.
The final report is available in:
Last modification 01.07.2021