Puzzle ITC is a well-established Swiss software and technology company with offices in Bern, Zurich, Basel, and Tübingen (Germany). With over 140 employees, the company delivers complex and innovative IT projects.
Cybersecurity plays an increasingly central role in Puzzle ITC’s work and has even become a competitive advantage over other market players. To further strengthen its security posture, Puzzle ITC collaborates successfully with ethical hackers through its partnership with Bug Bounty Switzerland – positioning itself as a role model within the software development industry.
How It All Began – The Woman Who Made Herself a CISO
That the role of Chief Information Security Officer (CISO) is gaining increasing importance in Switzerland became especially evident during last year’s “CISO of the Year” awards. But Franziska Bühler already recognized back in 2021 that Puzzle ITC needed a dedicated person to take responsibility for information security—both across the company and at the executive level. So she simply applied for a position that didn’t yet exist: “CISO at Puzzle ITC.” In doing so, she helped create this new, business-critical role in close collaboration with the company’s leadership.
For a modern CISO, the goal is no longer to prove how secure an organization is, but rather to take a close look at where it remains vulnerable—understanding the risks and empowering the organization to handle them a little better every day. That’s precisely where working with ethical hackers becomes a powerful tool.
Shortly after Franziska Bühler took on the role of CISO, Puzzle ITC launched a private bug bounty program. It began with a “reality check” to assess the company’s current level of cyber resilience. From there, it transitioned into an ongoing bug bounty program—designed to continuously test the organization’s entire attack surface as a kind of “last line of defense.”
Massive Scaling Effect for Security Organizations
Today, information security at Puzzle ITC is led by Mark Zeman, the new CISO and a former penetration tester. In an interview, he explains why continuous testing by ethical hackers is so essential:
“As soon as new vulnerabilities emerge, they need to be identified quickly. But we simply don’t have the in-house skills or capacity to conduct such extensive and ongoing security testing ourselves. A bug bounty program, on the other hand, allows for highly efficient testing of the entire attack surface. This creates a massive scaling effect—especially valuable for smaller security organizations.”
In addition to running private bug bounty programs, Puzzle ITC also operates a so-called Vulnerability Disclosure Program (VDP). While this is a more passive form of bug bounty that doesn’t involve financial rewards, it still provides a legal and structured way for ethical hackers to report vulnerabilities—based on clearly defined rules of engagement.
Protecting the Entire Attack Surface
By collaborating with ethical hackers, organizations can test their entire attack surface in a highly effective and efficient way. A bug bounty program should be seen as an active portfolio of various security testing formats, each with a distinct focus.
The most important formats include:
- Reality & Deep Spot Checks: These dedicated security tests are used to address very specific challenges—whether to simply trial the collaboration with ethical hackers and assess cyber resilience, or to tackle targeted questions such as improving product security. Many traditional penetration tests can be replaced by such private, time-limited bug bounty programs.
- Continuous Bug Bounty Programs: Ethical hackers are incentivized to test an organization’s entire attack surface 24/7 according to clearly defined rules of engagement. After all, new vulnerabilities will emerge sooner or later—no matter how modern and professionally managed the IT systems are. These continuous programs act as a “last line of defense,” detecting and remediating security flaws before cybercriminals can exploit them. Continuous bug bounty programs are usually operated in private mode under strict confidentiality agreements.
- Vulnerability Disclosure Program (VDP): As a new security standard, a VDP enables the responsible reporting of vulnerabilities even outside the scope of a formal bug bounty program. While no rewards are paid for reported findings, it lays the foundation for constructive collaboration with a talented and motivated community of ethical hackers.
Let’s take your cyber resilience to the next level.
As the Swiss market leader, we’re making collaboration with ethical hackers the new cybersecurity standard—accessible to organizations across Switzerland.
Let’s connect in a non-binding online meeting to explore how we can take your organization’s cyber resilience to the next level—simply, quickly, and securely.
We look forward to meeting you!
You can schedule a meeting with one of our Cyber Risk Experts
Book a Meeting NOW
We’re excited to meet you, discuss your ideas, and offer you a no-obligation consultation.
