Florian Schütz, Director of the BACS, considers bug bounty programs an important and cost-effective security measure. Since 2021, the Swiss Government has been working with Bug Bounty Switzerland to continuously identify vulnerabilities and strengthen cyber resilience. “Bug bounty forces organizations to establish efficient processes and promotes rapid response capabilities,” says Schütz. In the future, artificial intelligence will automate security analysis, allowing human experts to focus on complex threats.
Cybersecurity: A Delicate Balance Between Innovation and Protection
If cybersecurity in Switzerland had a face, it would be that of Florian Schütz. As Director of the Federal Office for Cybersecurity (BACS), he serves as the primary point of contact for policymakers, media, and the public on all matters related to cybersecurity. “We must elevate cybersecurity to an acceptable level so we can live and operate according to our values, create value, and remain competitive on a global scale,” Schütz explains in the Expert Talk with Bug Bounty Switzerland’s CEO & Co-Founder, Sandro Nafzger.
In his role as head of BACS, Florian Schütz is responsible for the coordinated implementation of Switzerland’s national cybersecurity strategy. This strategy, developed under the leadership of BACS, was created in collaboration with stakeholders from politics, public authorities, the private sector, and civil society. “It used to be called the ‘Strategy for Protecting Switzerland Against Cyber Risks’,” he notes, adding, “It was important to me that we adopt a more neutral term – one that doesn’t focus solely on risks. Because every entrepreneur knows: where there are risks, there are also opportunities.”
Indeed, risks abound. While digitalization brings countless advantages, it also creates new and expanding attack surfaces. The perpetrators of cyberattacks range from amateur “script kiddies” to highly professional – sometimes state-sponsored – actors. Many companies become targets simply because they fail to patch their systems in time. For Schütz, the central challenge of cybersecurity lies in striking a balance between robust security and economic competitiveness. Regularly applying software patches is no longer sufficient. What’s required is a comprehensive vulnerability management approach – one that includes proactive and continuous identification of hidden security flaws. After all, vulnerabilities are the breeding ground for cyberattacks and must be systematically eliminated.
Bug Bounty: An Effective and Cost-Efficient Security Tool
As a key component of the national cybersecurity strategy, bug bounty programs are firmly embedded in Switzerland’s security framework. Florian Schütz views them as an essential tool in the cybersecurity toolbox. “There’s often a very emotional debate within the security community: Which testing method is better – penetration tests or bug bounty?” For Schütz, this is the wrong question. “In the business world, the cost-benefit ratio is what really matters. The question is: Is it worth it? If it brings value, I’ll do it. If not, I won’t.”
For Schütz, the economic perspective is decisive: a company must optimize its resources, and a federal office must use taxpayer money responsibly. “Bug bounty is a continuous and creative testing method. A wide range of testers with different skill sets examine the systems broadly and continuously for vulnerabilities.” It’s precisely this continuity and broad coverage of attack surfaces that makes bug bounty so attractive. In addition, only validated vulnerabilities are financially rewarded. Schütz concludes: “From an economic perspective, bug bounty is something that can be done relatively inexpensively.” He sees bug bounty as an efficient and cost-effective model to establish baseline security by focusing on publicly accessible and exposed attack surfaces. His recommendation: “I’d start with an automated scanner – that’s the cheapest. Then bug bounty follows quickly, since the cost-benefit ratio is quite favorable. Penetration testing, red teaming, and fuzzing are important and complementary measures that can be deployed selectively and on demand.”
Bug Bounty Program for the Federal Government since 2021
The Swiss federal government has been running a bug bounty program since 2021. Its introduction marked an important step for the federal administration – but not one without challenges. “The program was initiated by Parliament, although we had already been considering it,” Schütz recalls. One key condition was that all data had to remain within Switzerland. “I didn’t want information about vulnerabilities ending up on servers abroad. That narrowed the market quite quickly,” he explains.
The federal government ultimately chose Bug Bounty Switzerland to implement the program. One of the main selection criteria was that the platform is operated entirely within Switzerland.
Since its launch in 2022, the program has proven to be an effective instrument for the federal administration. By March 2025, approximately CHF 396,000 in bounties had been paid out – an investment well worth the security gains. In total, 437 valid vulnerabilities were identified through the program, 71 of which were rated as “critical” and 76 as “high.”
For Schütz, the value of bug bounty goes beyond the number of vulnerabilities discovered. The programs provide valuable insights into the security landscape, help validate the broader IT security strategy, and strengthen organizational responsiveness through real-world feedback.
Ethical Hackers: Trusted Partners, Not a Security Risk
When the Swiss federal government launched its bug bounty program, initial concerns surfaced —particularly the fear that ethical hackers might sell discovered vulnerabilities on the black market. But Florian Schütz, Switzerland’s Federal Cybersecurity Delegate, takes a pragmatic view: first, proper Know-Your-Customer (KYC) procedures allow authorities to verify participants by requiring documents like passport information and criminal records. “I believe the risk of an ethical hacker misbehaving is extremely low,” says Schütz. Individuals who choose to participate in a bug bounty program make a deliberate decision and leave a digital footprint. Those with criminal intent, on the other hand, prioritize anonymity and are unlikely to engage in such transparent programs.
According to Schütz, trust is built through clear contractual agreements, economic incentives, and respectful communication. Long-term collaboration is especially important: “When you learn to engage with these people respectfully, everything works well.”
Cyber Resilience Through Ongoing Exposure to Real Vulnerabilities
Bug bounty programs, in Schütz’s eyes, are essential to building cyber resilience. But what does resilience mean in this context? “Resilience doesn’t mean absolute security,” he explains. Instead, it’s the ability to effectively respond to cyber incidents and restore systems quickly. Not every incident is equally severe – for instance, a temporarily inaccessible website might cause bad press, but a failure of an identity and access management system can have serious consequences.
Bug bounty programs support resilience by continuously uncovering vulnerabilities. This constant flow of findings forces organizations to build efficient processes for triaging and resolving issues. When a real crisis hits, these processes are already in place and well-practiced. “You can’t develop resilience with theoretical exercises alone,” Schütz says. “You need daily exposure to real threats.”
He also cautions against a common mistake: separating IT outages and security incidents into different workflows. “That makes no sense!” Instead, Schütz advocates for a single unified process that allows IT and security teams to collaborate more effectively and respond more swiftly to threats.
Artificial Intelligence (AI) and the Future of Bug Bounty
Florian Schütz sees artificial intelligence (AI) as a significant factor in the further development of bug bounty programs. While AI is already being explored in the U.S. for automated vulnerability discovery, Schütz does not expect human hackers to be replaced anytime soon: “I don’t believe that AI will replace bug bounty in the near future,” he explains. “But I do believe it will lead to a new and exciting market dynamic.”
By leveraging machine learning, large parts of the vulnerability discovery process could be automated, allowing human bug hunters to focus on more complex testing. According to Schütz, this could pave the way for new business models. The key question for him is how AI-driven solutions can be integrated into existing bug bounty offerings. This could result in tiered service models with different levels of support. Especially for smaller companies, plug-and-play bug bounty solutions at a fixed price could be particularly attractive, Schütz believes.
He also sees this development as a great opportunity for Swiss providers: companies that manage to combine bug bounty and AI in innovative ways could play an important role internationally in the future. The decisive factor will be whether they succeed in aligning technological progress with business needs while building customer trust. “I would be delighted to see more successful Swiss companies offering cybersecurity products on an international scale and helping to shape our digital future.”
The Cybersecurity Toolbox of Florian Schütz
- Automated scans as the most cost-effective first measure
- Bug bounty programs for continuous security testing of the entire attack surface
- Pentests before go-live or as needed to meet compliance requirements
- Red teaming and fuzzing for in-depth analysis in special cases
About Florian Schütz
Florian Schütz is Director of the Swiss Federal Office for Cybersecurity (BACS) and one of the country’s leading cybersecurity experts. He is responsible for the coordinated implementation of the national cybersecurity strategy. Previously, he served as Switzerland’s first Federal Cybersecurity Delegate and played a key role in building the National Cybersecurity Centre (NCSC), which was integrated into the Federal Office for Cybersecurity in 2024. Schütz studied computer science at ETH Zurich and holds a master’s degree in security policy and crisis management. After positions at RUAG Switzerland and Zalando SE, he is now active both nationally and internationally, including as Chair of the OECD Working Party on Digital Security.
Watch the Expert Talk with Florian Schütz and Sandro Nafzger:
Find out more:
We’d be happy to show you how to bring your cyber resilience to the next level.
