Over the course of 12 days, our ethical hackers tested various IT systems as part of the first Bug Bounty pilot project for the Federal Administration in collaboration with the National Cyber Security Center (NCSC), the Federal Department of Foreign Affairs (EDA) and the Parliamentary Services (PD). The project was very successful and the lessons learned will be incorporated into the implementation of further Bug Bounty programs in the federal administration.
News coverage on SRF Tagesschau
A total of 15 ethical hackers from the Bug Bounty Switzerland (BBS) community were commissioned for this pilot project. To meet the strict requirements of the federal administration for data protection and a data location in Switzerland, BBS had developed the first Swiss Bug Bounty platform in advance with technical support from Microsoft Switzerland.
Ten security vulnerabilities discovered
For the implementation of the pilot project, a total of six IT systems of the EDA and the parliamentary services were scanned by ethical hackers for any vulnerabilities, with the aim of identifying, documenting and remediating security gaps. A total of ten security vulnerabilities were reported to the NCSC. One vulnerability turned out to be «critical», seven vulnerabilities were classified as «medium» and two as «low». All of the gaps were immediately closed by the responsible service providers. The successful closure of the gaps was subsequently verified and confirmed by the ethical hackers.
Positive conclusion and transformation into a continuous program
The pilot project with BBS has shown that vulnerabilities in IT systems and applications can be identified and remedied efficiently and cost-effectively using bug bounty programs. The «return on investment» was identified as high. A bug bounty program for the federal administration, operated by the NCSC, makes an important contribution to reducing the federal government’s cyber risk.
Through the lessons learned and the insights of all stakeholders, NCSC envisions continually expanding the Bug Bounty program to as many federal government systems as possible.