Results from the private bug bounty programme
Private bug bounty program comes to an end: results
For its e-voting solution, SwissPost invited over 1'500 hunters to a private bug bounty program that lasted for nine months. The hunters submitted 39 reports:
- 2 reports concern cryptography-related issues in the cryptographic protocol and its specification. They could have let to attacks on individual verifiability and vote secrecy that are within our threat model. We recognized the researchers' profound expertise and issues' severity with a total payout amount of €47'500.-.
- 7 reports concern infrastructure-related or source-code best practices. They do not directly lead to exploitable attacks but highlighted some possible improvements in the configuration of the server infrastructure or the source code. We rewarded these reports with a total payout amount of €1'950.-.
- 3 reports are still under analysis and review.
- SwissPost and YwH did not accept 27 reports since they could not be reproduced or did not identify a vulnerability. Triaging reports are a standard process in bug bounty programs and took decisions together with our partner YesWeHack. An acceptance rate of 24% is in line with our expectations and our experiences from the public intrusion test in 2019.
In total, Swiss Post paid out €49'450.- to the bounty hunters who submitted the reports.
Cryptographic related issues
| YWH-ID | Title | Description |
|---|---|---|
| #YWH-PGM2323-8 | The algorithm GenCMTable allows an adversary to recover the election event's set of possible short return codes | Thomas Haines identified a problem within the algorithm GenCMTable. We confirmed and disclosed Thomas Haines's report publicly on Gitlab Status The issue is fixed in the latest version of the cryptographic protocol. |
| #YWH-PGM2323-35 | Privacy bug: scenario leading to an undetected attacker learning the vote of a target voter | Véronique Cortier, Alexandre Debant, and Pierrick Gaudry from CNRS/LORIA submitted a potentially undetectable attack against vote privacy. We confirmed and disclosed their report publicly on Gitlab Status The issue is fixed. |
Infrastructure and source-code related issues
| YWH-ID | Title | Description |
|---|---|---|
| #YWH-PGM2323-1 | Missing Integrity-Value on script load | The landing page on the test platform omitted the Javascript's hash value, thereby preventing users from checking the integrity of the client application. Status: Future versions of the platform will include the hash value. |
| #YWH-PGM2323-2 | Import of insecure library | The source code included a vulnerable version of the XStream library. Status Fixed. We removed the XStream library from the source code. |
| #YWH-PGM2323-3 | Main website redirecting to unknown DNS | The test platform contained a redirect that could lead to a DNS misconfiguration. Status: Fixed |
| #YWH-PGM2323-7 | The test platform contains no SPF record, potentially leading to email spoofing | An attacker could spoof the email for the test platform because of the missing SPF record. Status: Fixed. |
| #YWH-PGM2323-11 | Weak Ciphers Enabled For Both Web Applications | The remote host supports TLS/SSL cipher suites with weak or insecure properties. Status: Fixed |
| #YWH-PGM2323-13 | Path leak in a file of the landing page | An error document on the test platform leaked the creation date and tools used. Status: Fixed |
| #YWH-PGM2323-22 | Version of Bootstrap on landing page contains vulnerabilities | The landing page (not part of the actual voting application) contains a version of Bootstrap that is vulnerable to XSS attacks. Status: Fixed |