We invite you to participate in AGOV´s public Bug Bounty program!

AGOV is the login for Swiss public authorities. AGOV can be used for services of the Federal Administration as well as for cantonal and municipal authorities in Switzerland. For example, to file tax declarations. Thanks to new technology, usernames and passwords are not necessary with AGOV. AGOV provides a more secure and easier solution. AGOV is a service provided by the Federal Administration and has been available in initial authority applications since the beginning of 2024.

To support the effort to protect the user´s login data and help build a more secure Internet, AGOV has launched a public Bug Bounty Program together with the NCSC and Bug Bounty Switzerland. We invite everyone, citizens, users, security researchers, cryptographers and hackers to join this program.

Why we want you

AGOV´s top priority is to provide secure login services. AGOV is routinely audited and operated a private Bug Bounty program for more than two years prior to its public program.
We welcome the public’s and security professionals’ input to discover vulnerabilities that might not have been found during regular security tests.

What you can expect

Our public program allows participants to test the productive versions of AGOV as well as central open-source components, such as the Trust Broker.
We pay attractive bounties for valid findings ranging from CHF 250.- for a Low severity issue up to CHF 7500.- for a Critical finding.
AGOV supports Coordinated vulnerability disclosure, in line with international best practices.
A constructive dialogue, fair rules and a legal safe harbor.

Key focus areas include

Compromising AGOV´s token exchange or encryption (password leaks, private keys, etc.).
The ability to demonstrate unauthorized access or modifications to users´ login data.
Compromising AGOV API or server infrastructure
Demonstrating the ability to compromise AGOV mobile applications

The AGOV public program is open to everyone complying with the rules described in the program’s policy page, if you are interested in participating apply using the link below!

Apply

Systems in scope

AGOV systems, servers, web applications, mobile access applications and open-source components are part of the scope of this program and further detailed in the program’s policy.

AGOV IdP

The AGOV IdP module saves the native AGOV identities with their subject-identifying data in the IdM (Nevis) and performs the actual authentications (logins).

AGOV trust broker

The AGOV trust broker module acts as an identity provider interface and enables the AGOV IdP to connect with the target applications that request login procedures from AGOV, also known as relying parties. This connection procedure is known as federation. OIDC and SAML2.0 are used as federation protocols. The AGOV trust broker is based on trustbroker.swiss, which is made available as open-source software.

AGOV me

The AGOV me module is a web application; specifically, it is the self-service administration portal for end users, where they update their AGOV data and login factors.

AGOV connect

The AGOV connect module is a web application known as the portal for relying parties, such as cantons. Here, relying parties and their suppliers can independently create application links for both test and production purposes.

AGOV counter

The AGOV counter module is the web application for the relevant counter staff who carry out face-to-face identity checks with AGOV end users, i.e. citizens.

AGOV access app

The AGOV access app is a native mobile app for smartphones and tablets with iOS and Android operating systems. The app is available free of charge from the relevant app stores. Apart from the Swiss e-ID and hardware-based FIDO security keys, the AGOV access App is the only login factor authorized for AGOV.

Legal Safe Harbor

The program provides a legal safe harbor and protects security researchers from prosecution when they act in good faith and comply with the rules of the program.

Responsible Disclosure

AGOV encourages coordinated disclosure of vulnerabilities, disclosure of vulnerabilities found in this public program is possible with written consent of AGOV

Cookie	Dauer	Beschreibung
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.