News from public scrutiny

Continuous improvement of the e-voting system: reports from experts

This post will be regularly updated.

At the start of 2021, Swiss Post initiated a community programme on e-voting and published the essential components and documentation for the beta version of its future e-voting system. This is a cyber security measure. Swiss Post aims to work with leading international specialists to identify and eliminate every vulnerability in order to maintain the system at the highest possible security level.

On this page you will find a description of all confirmed findings, the severity of which Swiss Post classifies as high or critical after an in-depth technical analysis. The details are updated on a regular basis.

Overview of the findings

Status

14.09.2022

Number of reports 171
Number of findings with high severity level 4
Number of findings with critical severity level 0
Total rewards paid out € 115 750

Confirmed findings with high and critical severity

Swiss Post permanently and fully discloses its future e-voting system. Experts can analyze the documents and test the source code. As part of the bug bounty program, Swiss Post pays rewards for confirmed vulnerabilities. These are cyber security and international best practice measures to keep security at the highest possible level. The aim of these measures is to find and eliminate possible points of attack in the system at an early stage on the basis of the reported findings.

All information, including questions, comments and findings, is published on the GitLab specialist platform.

Below you will find a regularly updated description of all confirmed findings, the severity of which Swiss Post classifies as high or critical after a detailed technical analysis.

The findings are listed chronologically after their publication time on GitLab.

Issue #5 (e-voting) SDM - Insecure USB file handling during 'importOperation'
Issue #1 (e-voting) Insufficient Signature Validation of the Election Public Key resulting in possible attacks against individual verifiability
Issue #11 (e-voting documentation) Risk of privacy breach due to the CCMs not checking the ZKP before mix-decrypting
Issue #2 (e-voting documentation) The algorithm GenCMTable allows an adversary to recover the election event's set of possible short return codes