The source code of the future e-voting system is publicly accessible

The source code of the future e-voting system is publicly accessible 02.09.2021

Swiss Post is publishing the source code of its future e-voting system today, while also launching an accompanying public bug bounty programme. This means that experts from all over the world can test the system, including by simulating voting procedures, and can report any vulnerabilities they identify. The expert community can now also review the detailed description of the open-source verification software. Following this step, the disclosure of the beta version of the system is almost complete.

Swiss Post has been focusing on the development of its future e-voting system since 2019. Its team of specialists at the cryptography center in Neuchâtel is working on this project. In early 2021, it started the disclosure of the system’s beta version and has since published various system components in several stages. The international expert community has already started testing the system and has submitted various reportsTarget not accessible, all of which have enabled Swiss Post to implement improvements and rectify errors.

150,000 lines of source code

Swiss Post is now publishing the source code of its future e-voting system. This means that most system components have been made public and are available for unrestricted testing by external experts. Swiss Post has been improving and developing its source code since 2019, focusing on improving auditability and rectifying errors. The aim is to enable independent experts to understand the source code as quickly as possible. To ensure good auditability of the system, Swiss Post commissioned an independent evaluation. The publicly accessible reportTarget not accessible indicates that the system has very good auditability (4.4 points in total out of a maximum of 5).

All software is continually developed and improved. Swiss Post is adopting the approach of transparent software development, with all modifications displayed. Updates to the source code will now also be published regularly on GitLab, even between releases, to enable the community to follow developments with ease.

Rewards of up to 250,000 francs

Swiss Post is disclosing all information about the system on an ongoing basis. In this respect, the testing of the e-voting system differs from other bug bounty programmes. Experts can examine the underlying cryptographic principles for errors, as well as testing the source code. Swiss Post pays relatively high rewards of up to 250,000 francsTarget not accessible for confirmed critical vulnerabilities in e-voting. Marcel Zumbühl, Chief Information Security Officer at Swiss Post, explains: “To attract leading experts and top hackers, we’re offering sizeable rewards for confirmed vulnerabilities in e-voting. While they are the industry norm by international standards, they are much higher than those of the average bug bounty programmes at Swiss Post and in Switzerland. This is due to the scope and complexity of the e-voting system.” Hackers and cryptographers have to spend much more time testing the e-voting system than they would other applications.

Swiss Post is developing open-source verification software

Swiss Post is developing software for the complete verification of votes at its e-voting center in Neuchâtel. This is a technical tool for vote checkers. The verification software can identify falsified or modified votes even if one or more of the Swiss Post servers on which the system runs has been infiltrated. Swiss Post is now making these software specifications public.

Swiss Post will publish the source code of the verification software under an expansive open-source licence over the coming months. This will give third parties the opportunity to redesign or further develop the software and then also distribute it on a commercial basis. This means that the cantons will in future be able to access verification software that can be developed and operated independently of the rest of the e-voting system.

News from the community programme
Results from the private bug bounty programme