£116,000 bug bounty offered for hacking Swiss e-voting system

Bug bounty programs encourage white hat hackers to search for vulnerabilities that could be exploited in exchange for financial rewards. In recent years, major companies – including Facebook, Microsoft and Google – and US government departments, including the Pentagon, have established bug bounty programs.

Now, the Swiss government has established its own bug bounty programme to tighten the security of its e-voting system; most countries do not use remote electronic voting due to the possibility of privacy, security and technical issues. In the New South Wales state elections in 2015, for instance, a major vulnerability was identified which compromised an estimated 66,000 votes.

France ended remote electronic voting for overseas citizens in 2017, while the UK abandoned plans to introduce e-voting in 2007, citing security concerns. The IET has claimed that e-voting in the UK would save money and boost turnout.

Switzerland has been using a limited form of electronic voting, with a maximum limit of 10 per cent of electronic votes for its frequent (approximately monthly) referendums and 30 per cent for constitutional amendments. Electronic voting is a particularly pertinent issue for Switzerland’s many overseas citizens, who retain the right to vote. The government has been following a “security before speed” approach to electronic voting, having carried out hundreds of trials of voting systems. Consequently, the technology is being introduced very gradually. A further rollout is expected in autumn 2019 to two-thirds of Switzerland’s 26 cantons.

The government will carry out a dummy election on its Swiss Post system running from 25 February to 24 March for the purposes of a Public Intrusion Test (PIT): the same length as a typical Swiss public federal vote. Swiss Post has already been “pen tested” and is now being opened up to public scrutiny.

Anyone who registers for the PIT and agrees to its code of conduct will be allowed to legally attack the system, including non-Swiss citizens. Participants will be given voting cards to submit a vote for research purposes.

Hackers are allowed to publish details of their findings.

A total bounty of 150,000CHF (£116,000) will be available and individual rewards for identifying ‘undetectable vote manipulation’ ranging from 30,000 to 50,000CHF (£23,000 to £39,000). Smaller bounties will be available for identifying detectable means of vote manipulation, destruction of the ‘electronic ballot box’, vote corruption, compromising the privacy of votes, and code which does not meet best standard security practices.