Online voting and elections
Publications and source code
As part of its cybersecurity strategy, Swiss Post focuses on the public review of applications and services. This is why it runs bug bounty programmes to reward hackers and cryptographers financially for their work of scrutinizing the system and uncovering any confirmed vulnerabilities. In 2021, Swiss Post published all the core, security-relevant components of its e-voting system, and launched its bug bounty programme for an indefinite period. This allows specialists from all over the world to analyse, scrutinize and test the system. Swiss Post continues to work on its e-voting system to ensure it is always protected against cyberattacks.
Complete disclosure of the new e-voting system
In 2021, Swiss Post published its new, fully verifiable e-voting system in multiple stages as part of a community programme so that independent experts could test it. Swiss Post also launched a public bug bounty programme for e-voting for an indefinite period of time.
More information on the disclosure can be found on the e-voting community website.
Public intrusion test 2022
Over four weeks from 8 August to 2 September 2022, Swiss Post conducted a public intrusion test, during which ethical hackers attempted to access the e-voting infrastructure. Around 3,400 people from around the world took part. For the first time, the ethical hackers were able to try out and target the vote casting process on the voting portal using sample voting cards. The participants were not able to “crack” the e-voting infrastructure and infiltrate it. The intrusion test is a recurring measure as part of the e-voting system checks as well as a legal requirement of the Swiss Confederation.
Public intrusion test 2019
From 25 February to 24 March 2019, Swiss Post carried out a public intrusion test. IT specialists and hackers were invited to attack the system with the aim of finding and fixing vulnerabilities.
During the four-week stress test, around 3,200 international IT experts inflicted targeted attacks on the new e-voting system. After the completion of the intrusion test, there were no manipulated votes in the electronic ballot box. The hackers did not manage to infiltrate the e-voting system. Attempts at overloading the system through DDoS attacks were unsuccessful. The hackers submitted a total of 173 findings. The Federal Chancellery, cantons and Swiss Post confirmed 16 of them. They all come under the lowest classification level of “Best Practices”.
Swiss Post’s final report summarizes the results and findings of the intrusion test.