Skip to content
GitLab
    • Why GitLab
    • Pricing
    • Contact Sales
    • Explore
  • Why GitLab
  • Pricing
  • Contact Sales
  • Explore
  • Sign in
  • Get free trial
  • swisspost-evotingswisspost-evoting
  • E-votingE-voting
  • E-voting documentationE-voting documentation
  • Issues
  • #18

Results from the private bug bounty programme

Private bug bounty program comes to an end: results

For its e-voting solution, SwissPost invited over 1'500 hunters to a private bug bounty program that lasted for nine months. The hunters submitted 39 reports:

  • 2 reports concern cryptography-related issues in the cryptographic protocol and its specification. They could have let to attacks on individual verifiability and vote secrecy that are within our threat model. We recognized the researchers' profound expertise and issues' severity with a total payout amount of €47'500.-.
  • 7 reports concern infrastructure-related or source-code best practices. They do not directly lead to exploitable attacks but highlighted some possible improvements in the configuration of the server infrastructure or the source code. We rewarded these reports with a total payout amount of €1'950.-.
  • 3 reports are still under analysis and review.
  • SwissPost and YwH did not accept 27 reports since they could not be reproduced or did not identify a vulnerability. Triaging reports are a standard process in bug bounty programs and took decisions together with our partner YesWeHack. An acceptance rate of 24% is in line with our expectations and our experiences from the public intrusion test in 2019.

In total, Swiss Post paid out €49'450.- to the bounty hunters who submitted the reports.

image

Cryptographic related issues

YWH-ID Title Description
#YWH-PGM2323-8 The algorithm GenCMTable allows an adversary to recover the election event's set of possible short return codes Thomas Haines identified a problem within the algorithm GenCMTable. We confirmed and disclosed Thomas Haines's report publicly on Gitlab Status The issue is fixed in the latest version of the cryptographic protocol.
#YWH-PGM2323-35 Privacy bug: scenario leading to an undetected attacker learning the vote of a target voter Véronique Cortier, Alexandre Debant, and Pierrick Gaudry from CNRS/LORIA submitted a potentially undetectable attack against vote privacy. We confirmed and disclosed their report publicly on Gitlab Status The issue is fixed.

Infrastructure and source-code related issues

YWH-ID Title Description
#YWH-PGM2323-1 Missing Integrity-Value on script load The landing page on the test platform omitted the Javascript's hash value, thereby preventing users from checking the integrity of the client application. Status: Future versions of the platform will include the hash value.
#YWH-PGM2323-2 Import of insecure library The source code included a vulnerable version of the XStream library. Status Fixed. We removed the XStream library from the source code.
#YWH-PGM2323-3 Main website redirecting to unknown DNS The test platform contained a redirect that could lead to a DNS misconfiguration. Status: Fixed
#YWH-PGM2323-7 The test platform contains no SPF record, potentially leading to email spoofing An attacker could spoof the email for the test platform because of the missing SPF record. Status: Fixed.
#YWH-PGM2323-11 Weak Ciphers Enabled For Both Web Applications The remote host supports TLS/SSL cipher suites with weak or insecure properties. Status: Fixed
#YWH-PGM2323-13 Path leak in a file of the landing page An error document on the test platform leaked the creation date and tools used. Status: Fixed
#YWH-PGM2323-22 Version of Bootstrap on landing page contains vulnerabilities The landing page (not part of the actual voting application) contains a version of Bootstrap that is vulnerable to XSS attacks. Status: Fixed
Edited Sep 16, 2022 by Swisspost Product
Assignee
Assign to
Time tracking