First bug bounty program in the federal administration
The federal administration and Bug Bounty Switzerland launched a joint cybersecurity project on May 10, 2021. Led by the National Cyber Security Center (NCSC), the two-week test is designed to gather initial experience with Bug Bounty programs.
According to a statement, the federal administration wants to take advantage of the opportunities offered by bug bounty programs, clarifying the extent to which they can make a strategic contribution to the security of infrastructures at administrations and companies.
To this end, the National Cyber Security Center (NCSC), together with Bug Bounty Switzerland GmbH (BBS), is conducting a corresponding pilot project in the federal administration for the first time. The test began on May 10, 2021 and will last two weeks. As part of Bug Bounty programs, "ethical hackers" - hackers who legally search for vulnerabilities within a defined framework - are called upon to detect vulnerabilities in an organization's IT systems. For each vulnerability (bug) found and confirmed, the successful hacker receives a reward (bounty), graded according to the severity of the vulnerability found.
The federal government's pilot project is clearly limited in scope. Two IT systems of the Federal Department of Foreign Affairs (FDFA) and one of the parliamentary services were selected as targets. In addition, the circle of bug bounty hunters in this first test is limited to ethical hackers who are known to BBS or the NSCS and have already proven themselves in other projects.
Since the federal administration - as well as other regulated industries - have strict data protection requirements and demand a data location in Switzerland, BBS has developed its own Bug Bounty platform in recent months with technical assistance from Microsoft Switzerland, which is operated entirely in Switzerland. This platform is based on state-of-the-art cloud technologies and meets the needs of federal and other regulated industries such as critical infrastructure.
The implementation of the Bug Bounty program is the responsibility of BBS, but it will be closely monitored by NCSC and representatives of the DFA and Parliamentary Services. The test is intended to provide the basis for a discussion on the further procedure for the use of bug bounty programs.
Source: Federal Department of Finance
