Frequently Asked Questions


General


The Swiss Confederation and the Cantons have decided that the systems need to be publicly tested within the setting of a public intrusion test (PIT).

By performing the PIT, the Confederation and the Cantons are hoping to get a valuable outside view on the system. Its objectives are to promote transparency and security of the e-voting system by allowing anyone to test analyze and challenge it.

A management committee formed by representatives of the Federal Chancellery and several Cantons are supervising this Public Intrusion Test.

Swiss Post are the vendors and operators - along with the Cantons - of the e-voting solution. They are responsible for deploying and operating the e-voting platform subject to this Public Intrusion Test.

SCRT are a Swiss information security company appointed by the Confederation and the Cantons. They are responsible for enabling registration and vulnerability submission as well as providing support to participants. SCRT are the single point of contact for all participants and oversee the review and triage of the vulnerability submissions. Any questions, remarks, etc. must be submitted through this platform.

SCRT are not involved in the development, deployment or promotion of Swiss Post's e-voting system.

Yes it is! The main objective of this PIT is to comply with transparency requirements by allowing anyone to observe the behavior and test the security of Swiss Post’s e-voting system. Swiss Post have committed to compensate participants if they are the first to reveal a relevant vulnerability

If a participant discovers and submits a vulnerability which falls into the range of qualifying vulnerabilities he/she should receive a monetary compensation proportional to the vulnerability’s characteristics and impact.

These compensations are to be provided by Swiss Post and are meant as a motivator for participants to take part in the PIT and as a sign of appreciation.

Anyone can participate by registering. While the target is a Swiss e-voting system, this PIT is meant for anyone interested in the matter and is not restricted to Swiss citizens.

There are no restrictions in the number of participants.

However, a limited number of voting cards (required to cast a vote) are available. These cards will be distributed in a way to allow participants to perform useful testing while avoiding that they get used up too fast.

Details about the scope of the PIT are provided here.

It is true that the PIT platform (which you are browsing right now) and the vulnerability submission system both rely on third party, US-based services like Cloudflare, Google Mail and Amazon Web Services.

This only applies to the PIT specific services, and does NOT apply to the e-voting system itself, which is hosted by Swiss Post.

These choices have been made based on technical requirements and on the fact that we do not consider the NSA or any other governmental agency to actually be a threat model in the context of this PIT.

One of the goals of the PIT is to promote transparency and while some elements (e.g. internal exchanges between organizers, e-mail exchanges with participants, ...) have no reason to be made public, the fact is that all the valuable PIT's outcomes will be made public shortly after the end. The source code is public and the vulnerabilities that are discovered will be published at some point. Moreover, the PIT itself is open to anyone interested, and is not by any means restricted to Swiss participants.

Under these circumstances, we consider that the technical advantages provided by these services overcome the potential confidentiality concerns related to state sponsored activities.


Participants


First, you need to register.

As soon as the PIT opens, you will be able to download voting cards that you can use to access the e-voting system and perform your testing.

If you discover any qualifying vulnerability, you must submit it through this platform. Please refer to submission guidelines for further details.

You will be contacted by SCRT upon review of your submission. While SCRT will make their best to review submissions in a timely manner, some time should be granted after submission.

If you are the first to submit a confirmed vulnerability, you should receive a compensation based on the type and severity of the vulnerability.

No. Swiss Post's e-voting system is only available in the four national languages of Switzerland: German, French, Italian and Romansh. Swiss Post however provide some english documentation.

Yes. Details regarding source code publication and access are provided here.

Note that while you can access the source code and use it as an auxiliary tool to analyze the security of the target e-voting system and discover potential vulnerabilities, both programs are fully distinct. Any vulnerability that may be found on the source code itself must be reported through the Source Code Access Program and will not be accepted in the PIT unless it can actually be exploited against the target system.

To register for this PIT, the only mandatory information that you have to submit is:

  • A username
  • A valid e-mail address
  • Your country of residence (used only for statistics)

Note that for technical reasons, your username may be visible to other participants in the issue tracking system. Please be aware of that when choosing it.

Optionally, you can also provide information about your identity (first and last names).

The information you provide us with is used only for the context of this PIT. It may be shared with SCRT, Swiss Post, Swiss Confederation and Cantons.

If you discover a vulnerability eligible for a compensation, additional information will be requested in order to trigger the payment.

If you need support you can contact us through the dedicated contact form.

We will do our best to answer all questions in a timely manner. Note however that our support is operating on an office-hours basis (GMT+1).


Voting cards


Each of the voting cards allows to vote only once, which is the expected behavior for an actual vote.

As the number of available voting cards is limited and cannot be extended during the time of the PIT, they are distributed according to some rules.


Vulnerability submissions


Some elements that may look like vulnerabilities by themselves are accounted for in the design of the system and mitigated by other mechanisms and are thus not considered vulnerabilities in the context of this PIT.

A simple example of that is the possibility of changing a vote on the client-side (i.e. the voter’s computer) by compromising the browser (e.g. through a malicious extension). While this attack is perfectly feasible and cannot be prevented by the voting system beforehand, it will yet be defeated by the “individual verifiability” mechanism during which the voter is displayed return codes that correspond to the answers registered by the e-voting backend. This return code is verified by the voter against the voting card that was sent by regular mail and thus out of reach of the attack. This mechanism will allow the voter to detect the attack and cancel the vote.

Depending on how convinced we are with the provided elements, we will either request that you provide additional details or simply reject your submission on formal grounds.

Submission review is performed on a best-effort basis and depends on the type of vulnerability, the steps needed to reproduce it as well as the quality of submission. Depending on these variables, the review may take one or two days up to more than a week. You will however be updated whenever applicable on the ongoing review process.

The vulnerabilities are reviewed by SCRT with the support of Swiss Post whenever needed. The decision to accept or reject a vulnerability is taken depending on several criteria, such as:

  • Does it meet the admissible criteria?
  • Does the submission contain enough details to allow reproducing the issue (mandatory)?
  • Does the reproduction confirm the results observed by the participant?
  • ...

Indeed, during the whole duration of the PIT, like for an actual voting campaign, access to the contents of the ballot box is not granted to any person or party. Integrity verification mechanisms due to universal verifiability are only available after the vote has been closed and the votes have been mixed and tallied using a secure crypto-protocol.

Because of that, you cannot “have a look” inside the ballot box to check if your exploit actually worked or not right after your test.

In order to accommodate for such cases, Swiss Post will be running an additional ballot box in parallel to the PIT system. This secondary system is not linked to the main system used for the PIT and is not accessible to the participants. However, if you have evidence regarding a potential vulnerability that cannot be verified on the main system, Swiss Post will be able to run your PoC on this “testing” ballot-box in order to analyze the issue.

Your submission may be rejected for a series of reasons, which are detailed alongside the decision. The rationale behind the decision should have been explained to you in a clear manner.

If you are convinced that your vulnerability has been wrongfully rejected and that you can provide strong evidence of it (evidence gathered by you, PoC allowing us to reproduce the issue, ...) we are obviously open to discussion. We will however not reconsider any submission that is incomplete, lacks strong evidence and is only based on claims that we cannot verify.

Congratulations! Alongside with the acceptance decision in the proper category, the vulnerability will be rated and you will be informed on the compensation you will receive.

Swiss Post will then ask you for payment details in order to perform the transaction. Note however that some delay may be expected (up to one month) before the money is transferred.

If you plan on publishing your vulnerability, the publication rules in the code of conduct must be respected.

No. If the same vulnerability is discovered by two participants, the compensation will only go to the one who submitted it first, in a detailed and comprehensive manner. Incomplete submissions will not be considered in this decision. As an example, making a “quick” submission for an “RCE on the web server” without sufficient details will not give you precedence over other similar issues reported with all the details needed for reviewing and reproducing the issue.

Timing decisions are taken based on the submission time on the issue tracking platform.