The access and permissions system of the Federal Administration is the Confederation’s central login infrastructure. Used by more than 1,000 applications, eIAM is used to carry out an average of 550,000 logins per day. The security of this infrastructure is therefore critical for the Confederation.

Bug bounty programmes bring in ethical hackers to identify, document and resolve potential vulnerabilities in IT systems and applications, as a complement to other security measures. Unlike their criminal counterparts, ethical hackers operate legally at the request of the parties involved. Following on from last year’s successful pilot project run by the National Cyber Security Centre (NCSC), eIAM has now been put through a review. Thirty-two ethical hackers accepted the invitation to participate in a bug bounty programme that took place from 30 August to 11 October.

Bug Bounty Switzerland AG carried out the system tests in cooperation with the Federal Chancellery’s Digital Transformation and ICT Steering Sector (DTI Sector), which is responsible for the eIAM service; the Federal Office of Information Technology, Systems and Telecommunication (FOITT), which operates the system; and the NCSC, which heads up the bug bounty programme.

The severity of vulnerabilities was classified according to an internationally recognised system: low (fix is optional), medium (fix provided with next release), high (fix required urgently) and critical (fix required immediately). A total of 28 potential vulnerabilities were identified, with 14 of them confirmed. All vulnerabilities were analysed and processed immediately. One of the vulnerabilities was classified as high severity, nine were considered to be of medium severity and four were classified as low. No critical security loopholes were found. A total of CHF 5,700 was awarded to the ethical hackers as a reward for the confirmed vulnerabilities.

This inaugural bug bounty programme was a valuable experience, demonstrating that the method provides an efficient way to discover and resolve hidden vulnerabilities in IT systems and applications. The possibility of continuing to use external security reviews for eIAM is currently under consideration.

The Confederation’s bug bounty programme

Standardised security tests are often no longer sufficient to uncover hidden loopholes. A spring 2021 pilot project showed that bug bounty programmes provide an efficient method to discover and close vulnerabilities in IT systems and applications. The Confederation therefore created a platform for bug bounty programmes in August 2022. The NCSC will head up the platform, which brings in ethical hackers to search for vulnerabilities in the Federal Administration’s productive IT systems and applications. eIAM is now the first such application to be tested as part of the programme.
Ethical hackers who are interested in testing Federal Administration systems by joining future editions of the Confederation’s bug bounty programme can register at www.bugbounty.ch/ncsc.

Bug bounty programme carried out for the Confederation's eIAM central access system