The source code of the future e-voting system is publicly accessible 02.09.2021
Swiss Post is publishing the source code of its future e-voting system today, while also launching an accompanying public bug bounty programme. This means that experts from all over the world can test the system, including by simulating voting procedures, and can report any vulnerabilities they identify. The expert community can now also review the detailed description of the open-source verification software. Following this step, the disclosure of the beta version of the system is almost complete.
Swiss Post has been focusing on the development of its future e-voting system since 2019. Its team of specialists at the cryptography center in Neuchâtel is working on this project. In early 2021, it started the disclosure of the system’s beta version and has since published various system components in several stages. The international expert community has already started testing the system and has submitted various reports, all of which have enabled Swiss Post to implement improvements and rectify errors.
150,000 lines of source code
Swiss Post is now publishing the source code of its future e-voting system. This means that most system components have been made public and are available for unrestricted testing by external experts. Swiss Post has been improving and developing its source code since 2019, focusing on improving auditability and rectifying errors. The aim is to enable independent experts to understand the source code as quickly as possible. To ensure good auditability of the system, Swiss Post commissioned an independent evaluation. The publicly accessible report indicates that the system has very good auditability (4.4 points in total out of a maximum of 5).
All software is continually developed and improved. Swiss Post is adopting the approach of transparent software development, with all modifications displayed. Updates to the source code will now also be published regularly on GitLab, even between releases, to enable the community to follow developments with ease.
Rewards of up to 250,000 francs
Swiss Post is disclosing all information about the system on an ongoing basis. In this respect, the testing of the e-voting system differs from other bug bounty programmes. Experts can examine the underlying cryptographic principles for errors, as well as testing the source code. Swiss Post pays relatively high rewards of up to 250,000 francs for confirmed critical vulnerabilities in e-voting. Marcel Zumbühl, Chief Information Security Officer at Swiss Post, explains: “To attract leading experts and top hackers, we’re offering sizeable rewards for confirmed vulnerabilities in e-voting. While they are the industry norm by international standards, they are much higher than those of the average bug bounty programmes at Swiss Post and in Switzerland. This is due to the scope and complexity of the e-voting system.” Hackers and cryptographers have to spend much more time testing the e-voting system than they would other applications.
Swiss Post is developing open-source verification software
Swiss Post is developing software for the complete verification of votes at its e-voting center in Neuchâtel. This is a technical tool for vote checkers. The verification software can identify falsified or modified votes even if one or more of the Swiss Post servers on which the system runs has been infiltrated. Swiss Post is now making these software specifications public.
Swiss Post will publish the source code of the verification software under an expansive open-source licence over the coming months. This will give third parties the opportunity to redesign or further develop the software and then also distribute it on a commercial basis. This means that the cantons will in future be able to access verification software that can be developed and operated independently of the rest of the e-voting system.
- Since January 2021, e-voting experts from Switzerland and abroad have submitted a total of 24 reports relating to the system components published on GitLab as part of the community programme. They include two reports with a severity level of “high”. One concerns individual verifiability, the other voting secrecy. Solutions have been found for both reports and are documented on GitLab. No critical reports have been submitted yet.
- The second expert webinar on the future e-voting system was held on 19 August 2021, with national and international experts taking part. The presentation and recording of the event are available online.
Swiss Post launches bug bounty programmes with a small group of specialists and gradually extends the group of participants until the programme is published. Almost 800 hunters participated in the private bug bounty programme for e-voting, which was launched last year. The hunters submitted 39 reports, nine of which were confirmed. In return, Swiss Post paid out 53,000 francs to the people who submitted the reports. The results of the private bug bounty programme are available on GitLab.