Successful Bug Bounty Pilot Project in the Federal Administration

An ehtical hacking project in May was very successful, according to the National Cyber Security Center (NCSC). A total of ten vulnerabilities were reported, one of which turned out to be critical, while seven other vulnerabilities were classified as "medium.

Pilotprojekt
©Pixabay

Bug Bounty programs are used to identify, document and fix any vulnerabilities in IT systems and applications in collaboration with ethical hackers. A total of 15 federally contracted ethical hackers participated in this pilot project. From May 10 to 21, 2021, the National Cyber Security Center (NCSC) conducted a Bug Bounty pilot project in collaboration with Bug Bounty Switzerland GmbH, the Federal Department of Foreign Affairs (FDFA), and the Parliamentary Services (PD).

Ten security vulnerabilities discovered

For the Implementation of the pilot project a total of six IT systems of the FDFA and the parliamentary services were scanned by ethical hackers for possible security vulnerabilities. A total of ten security vulnerabilities were reported to the NCSC. Of these, one vulnerability turned out to be "critical", seven vulnerabilities were classified as "medium" and two as "low".

All gaps were closed immediately by the responsible service providers. The successful closure of the gaps was subsequently verified and confirmed by the ethical hackers.

Positive conclusion

The pilot project had shown that vulnerabilities in IT systems and applications can be efficiently identified and remedied by means of bug bounty programs. The "return on investment" was identified as high. A bug bounty program for the federal administration, operated by the NCSC, makes an important contribution to reducing the federal government's cyber risk.

Through the experience gained from the pilot and the lessons learned by all stakeholders, NCSC envisions continually expanding the Bug Bounty program to as many federal government systems as possible.

The procurement process should therefore be started as quickly as possible. In the meantime, other companies in Switzerland offer Bug Bounty programs in addition to Bug Bounty Switzerland GmbH. In order to ensure neutrality in the procurement process, Florian Schütz, the federal government's delegate for cybersecurity, is therefore withdrawing from the advisory board of Bug Bounty Switzerland.

Source: NCSC

(Visited 104 times, 1 visits today)

More articles on the topic

SECURITY NEWS

Bleiben Sie informiert über aktuelle Sicherheitsthemen – praxisnah und zuverlässig. Erhalten Sie exklusive Inhalte direkt in Ihren Posteingang. Verpassen Sie keine Updates.

Jetzt anmelden!
anmelden
You can unsubscribe at any time!
close-link