Why Swiss Post needs a bug bounty programme

This week, Swiss Post has launched its public bug bounty programme. Sandro Nafzger, Bug Bounty Programme Leader, explains why cooperation with ethical hackers took two years to set up, even though it became apparent within a few hours that it was vital.

Sandro Nafzger
Blog
Head of Bug Bounty Sandro Nafzger

Rich Content Section

When we plucked up the courage to trial a cooperation with ethical hackers, it soon became clear that a bug bounty programme was absolutely essential! The project budget that had been allocated to last for six weeks was used up in just under four hours – another positive sign. Here’s how events unfolded…

In spring 2019, Swiss Post carried out a public intrusion test and published the source code for its previous e-voting system for the first time. This prompted a highly controversial debate, particularly in the media. You might expect that Swiss Post had its fingers burned with this public scrutiny approach and that it would steer clear of this kind of procedure. But the exact opposite was true. After all, this example showed that the method works and that critical errors can be identified and resolved. This enables us to continue improving the relevant systems and the organization surrounding them.

Following these events, the question arose as to whether cooperation with a global community of IT security experts in the form of a bug bounty programme would be advisable for Swiss Post as a whole. Our gut instinct said yes, but we had only this single experience with e-voting and relatively little expertise in such issues. So, in consultation with Swiss Post’s CISO, we launched a three-month study by an interdisciplinary team made up of three security experts, a project manager, a lawyer and a communications specialist. We looked at the bug bounty concept from all angles and concluded that it could be vitally important for Swiss Post, that the benefits were likely to be great, that the costs were acceptable and that we’d found a pragmatic solution with regard to feasibility. To test these theories, Swiss Post Information Security then decided to carry out a six-week-long proof of concept.

This kicked off at 11 a.m. on Monday, 21 October – and just like that, our first bug bounty programme was under way. Initially, we permitted only five ethical hackers to “hack” approximately ten specially selected IT systems and to identify security issues. And lo and behold – we received a report of the first critical security vulnerability within less than an hour. And it was far from the only finding. But how could that be? We tested only well-established online services whose security performance is assessed regularly using traditional testing methods.

We had earmarked 25,000 francs for remuneration payments over the entire proof-of-concept phase, which was set to last six weeks. By 3 p.m., we’d already used up the budget – just four hours after the six-week test had started. Did that present a problem? No, quite the opposite: we immediately realized that this new testing method was much more effective and crucial than we’d anticipated and that it represented a huge opportunity for Swiss Post. Because the findings we obtained in just a few hours were so valuable, the CISO increased our budget and determined that the test was to be conducted over a five-week period. In particular, we were able to test the interaction between hackers and developers, and we found that this new cooperation enabled us to resolve errors promptly and, above all, that there was an excellent rapport between the two groups from the outset. During this test, 130 vulnerabilities – ranging in severity from minor to critical – were discovered and fixed. We also paid out remuneration of around 150,000 francs.

The question of whether a bug bounty programme was really necessary had been resolved within just a few hours. A bug bounty programme detects security vulnerabilities that remain hidden with all other testing methods. It is also extremely efficient.

After the first proof of concept, we set about finding a way to phase in this new and disruptive method and establish it on a Group-wide basis without overstretching ourselves. It was clear that launching a bug bounty programme without any restrictions would reveal thousands of new vulnerabilities within a few days and would completely overextend our organization’s capacities – which we didn’t want to happen. That’s how our bug bounty scaling model was created.

Online services start out in an incubator

Our scaling model consists of three levels of maturity that an online service can achieve. Whenever an application is added to our bug bounty programme, it always starts out in a custom incubator – a time-limited bug bounty programme with five to 50 ethical hackers and relatively low bounties. The most critical security issues are detected and reported within the first few hours and days. This not only reveals the maturity level of the product or service tested, but also shows how agile and fit the organization and team behind it are. 

There are two scenarios after the custom incubator stage. Ideally, the tested system can be transferred directly to “Private Main”, a permanent but still private programme. This focuses less on how many vulnerabilities are found, and more on how the team behind the system deals with them. Receiving new input every day, prioritizing it according to clear rules and rectifying issues in regular sprints is standard practice for some teams. For others, this agile approach presents a challenge. Such teams usually require a break after the custom incubator phase to improve their internal organization and to rectify the vulnerabilities.

Swiss Post has been running “Private Main” – a permanent, private bug bounty programme – since May 2020. More online services are being added on an ongoing basis and tested intensively by several hundred ethical hackers. These services are then transferred to the public bug bounty programme, “Public Main”, which has now been launched and is available to all 23,000 registered hackers.

This three-tiered procedural model has enabled us to gradually establish and consolidate the maturity level required for the management of the bug bounty programmes, allowing us to run a Group-wide programme – which has proved to be a lot of fun for all involved.

This is the basis on which the majority of all Swiss Post digital products – a few hundred IT systems – will now undergo continuous improvement through the bug bounty programme. 

To sum up: cooperation with ethical hackers requires courage, but is richly rewarded. That’s because new findings and improvement proposals are received almost every day. This creates a positive and agile learning culture which benefits the entire organization. There’s no such thing as a perfect bug bounty programme. But thanks to a small-scale start and continuous expansion, we’re on the right track.

written by

Sandro Nafzger

Head of Bug Bounty