In the health insurance sector, trust is part of the core business. For KPT, one of the ten largest health insurers in Switzerland, the question of trust became pivotal when it came to enhancing its cyber resilience through a bug bounty program.
Before the program could launch in May 2023, initial concerns within the company had to be addressed – after all, no one at KPT had prior experience with ethical hacking. Interestingly, it wasn’t the executive management that struggled with the idea of being hacked, but rather the IT security team. “I had expected more skepticism from senior management,” recalls Walter Kunz, Group CSO/CISO and a member of the executive board at the health insurer. “But the executive team was quickly convinced of the benefits of a bug bounty program.”
A Bug Bounty Program on Autopilot
To dispel any lingering skepticism, choosing the right partner was of central importance. KPT’s executive management followed Walter Kunz’s recommendation to collaborate with Bug Bounty Switzerland. Two key factors played a decisive role in the decision: first, the fact that the provider was based in Switzerland, and second, the impressive references the Swiss bug bounty pioneer could present. Trust was further strengthened by the fact that Walter Kunz had known several members of the executive and advisory boards of Bug Bounty Switzerland personally for many years.
KPT opted for a managed approach – meaning a bug bounty program that could be fully operated by Bug Bounty Switzerland if KPT lacked the internal capacity. The health insurer defined the framework conditions such as goals, scope, budget, and the maximum number of vulnerability reports the organization could process without issue. Bug Bounty Switzerland then took over the rest – steering and scaling the program as well as managing interactions with ethical hackers – in close coordination with KPT. As a result, the program essentially runs on “autopilot,” operating within clearly defined KPIs without requiring additional internal personnel to run it effectively and efficiently.
The first step was for KPT’s security team to define the program’s scope. Together with Bug Bounty Switzerland, they established the legal framework and developed a policy applicable to all participating hackers. The core principle of this policy is “report first” rather than “exploit first” – hackers must report any vulnerabilities immediately instead of attempting to exploit them. This principle played a key role in calming initial concerns within KPT.
In fact, the participants are not anonymous individuals, but carefully selected and verified ethical hackers who adhere to agreements with both Bug Bounty Switzerland and KPT. Through its data-driven matchmaking process, Bug Bounty Switzerland ensures that the most qualified individuals from its pool of over 15,000 listed ethical hackers are included in each program. A further priority is that the hackers remain highly active over extended periods, ensuring comprehensive and continuous test coverage.
Comprehensive Testing of the Entire Attack Surface
Communication and collaboration between KPT, the ethical hackers, and Bug Bounty Switzerland are handled through the Cyber Resilience Platform – developed and operated in Switzerland by Bug Bounty Switzerland. When a participating ethical hacker discovers a vulnerability, they submit a detailed report via the platform. Incoming reports are initially reviewed and validated by Bug Bounty Switzerland to ensure they fall within the defined scope and to assess the severity of the vulnerability. Thanks to the targeted use of artificial intelligence, these processes are carried out with exceptional quality and efficiency. Only reports that are confirmed and accepted are forwarded to KPT’s IT security team, where they are analyzed and remediated.
KPT defined all systems operating under the domain kpt.ch as valid targets for the participating ethical hackers. After initial discussions, it was also decided to include SaaS services hosted under the domain. This decision proved to be the right one: in fact, a critical vulnerability was found in one such SaaS service. Upon receiving the report, the IT security team immediately contacted the external provider, who responded cooperatively, allowing the vulnerability to be swiftly closed.
“This incident once again highlighted the importance of third-party risk management,” summarizes Kunz. “Before entrusting your company’s data to an external provider, they must be thoroughly vetted.” After all, finding vulnerabilities in SaaS offerings serves everyone’s best interest: “If we notify a partner about a leak in one of their services, it’s ultimately to their benefit—they can only be grateful.”
For KPT, the bug bounty program complements its strategic, multi-layered monitoring approach, which aims to automatically oversee the organization’s entire internet-exposed attack surface around the clock. “We’ve set up a monitoring service that acts like a surface-level analysis,” explains Kunz. The bug bounty program adds a deeper layer of inspection, offering greater visibility into unknown vulnerabilities – and it does so very effectively and cost-efficiently compared to traditional penetration testing.
Over time, the program has significantly scaled: while it started with just eleven ethical hackers, it now involves over 500 continuously testing KPT’s entire attack surface. Kunz fully recognizes the value of this collective intelligence: “Every vulnerability we discover and fix with the help of our ethical hackers—before a malicious actor can exploit it – takes us one step closer to strengthening our cyber resilience.”
Skepticism has turned into enthusiasm
“The collaboration with Bug Bounty Switzerland has always been highly professional, straightforward, trustworthy, and personal – it consistently gave us a strong sense of confidence,” says Kunz. “The initial skepticism among some colleagues quickly turned into genuine enthusiasm. And throughout the process, there was never a single operational issue.”
It’s therefore no surprise that KPT is already planning several expansions to its bug bounty program. One idea under consideration is the introduction of so – called on-demand deep spot checks: twenty to thirty carefully selected ethical hackers would be granted access to accounts, allowing them to search for vulnerabilities within specific systems and applications.
Walter Kunz can wholeheartedly recommend running a bug bounty program with Bug Bounty Switzerland. However, he strongly advises against attempting to manage such a program in-house. “Bug Bounty Switzerland offers bug bounty programs as a plug-and-play solution—this is, in my view, the most effective and efficient approach. We would have needed far too much time and too many resources to manage the program ourselves with the same level of precision.”
For those still unsure or skeptical, Kunz recommends speaking with companies that already have experience in this area. He is convinced that hearing firsthand from customers can quickly dispel any doubts: “Invite people who can brief your executive management and answer their questions!”
Would Kunz be willing to take on that role himself? “I’m certainly very busy, but if my schedule allows, I’d be happy to do it,” he confirms. “After all, this is also about collective security in Switzerland. If I can contribute to that, it’s absolutely in line with my values.”
About KPT
KPT is one of the ten largest health insurers in Switzerland. With around 700 employees, it provides 600,000 policyholders with what truly matters: excellent value for money and top customer satisfaction. As a cooperative, KPT embraces its social responsibility and consistently advocates for the interests of both its policyholders and employees.
About Walter Kunz
Walter Kunz entered the world of IT nearly 40 years ago – long before “IT specialist” became a recognized profession – starting out as a telecommunications expert. Initially working as a telematics and network specialist, he developed a fascination for IT security more than 30 years ago, which soon became his focus. After completing his diploma in Business Information Technology and obtaining various security certifications, including CISM, CRISC, and ISO 27001 Lead Auditor, Kunz gradually shifted from purely technical roles to concentrate on Information Security Management and Information Risk Management. He has held CISO positions for many years. For six years, alongside his CISO responsibilities, he also worked as an auditor for the EuroGiro payment network, gaining international IT audit experience with financial institutions. Always interested in emerging trends and methodologies, Kunz was immediately convinced that a bug bounty program could make a valuable contribution to KPT’s cyber resilience. The program aligns perfectly with KPT’s strategic approach of continuously monitoring its entire attack surface.
