Results from the bug bounty programme, update 30 September 2025
For its e-voting solution, SwissPost is running a public bug bounty program. On the 30 June 2025 we made the last update.
Since then, the hunters submitted 103 reports:
- 0 report concern cryptography-related issues in the cryptographic protocol and its specification.
- 5 report concerns source-code issues. It highlighted meaningful improvements in the source code.
- 0 report were accepted as informative for their insightful contribution.
SwissPost and YwH did not accept 84 reports since they could not be reproduced or did not identify a vulnerability, and 14 reports are still under review. Triaging reports is a standard process in bug bounty programs, and we took decisions together with our partner YesWeHack.
In total, SwissPost paid out since the last update €4'500 EUR.- rewards to the hunters who submitted the reports.
Note: The results from the 2025 public intrusion test were disclosed on 24 September 2025.
Source-code-related issues
| YWH-ID | Title | Description | Status | CVSS-severity |
|---|---|---|---|---|
| #YWH-PGM2323-266 | Index Collisions and Metadata Injection via Municipality Configuration |
A missing validation step in the Municipalities.xml configuration file could theoretically allow index collisions or metadata injection. However, the file’s integrity is verified and delivered through a secure, controlled process, making exploitation highly unlikely. Enforcing the uniqueness of MunicipalityId via the XSD schema is considered a best practice to prevent potential misconfigurations. |
Given the existing integrity checks and delivery controls, this finding does not represent a security risk and is accepted as a best-practice improvement.
The issue will be addressed in a future release. |
Low |
| #YWH-PGM2323-301 | ZipSlip In PDF Verification Service |
A potential ZipSlip vulnerability was identified in the PDF Verification Service. The service operates in a trusted, offline, and hardened environment under a four-eyes principle, making exploitation highly impractical.
Identified thanks to `maitai` |
Given these operational constraints, this issue does not pose a significant security risk. Sanitizing file names is considered a best practice to prevent potential implementation errors.
The fix has been implemented and released in version 1.5.2. |
Low |
| #YWH-PGM2323-308 | Path Traversal via File Upload in PDF Verification Service |
A potential path traversal vulnerability was identified in the PDF Verification Service, allowing encrypted files to be stored outside the intended directory. The service operates on a secure, hardened, offline system under a strict four-eyes principle, making exploitation highly impractical.
Identified thanks to v4yne1
|
Under the current operational assumptions, this issue does not represent a security risk.
A fix was implemented as a best-practice measure to improve system robustness and released in version 1.5.2. |
Low |
| #YWH-PGM2323-344 | Internal SonarQube Token Exposure in Public GitLab Build Script |
An internal SonarQube address and its associated access token were unintentionally exposed in a public GitLab build script. The SonarQube instance is not externally accessible, and no evidence of misuse was identified.
Identified thanks to `BunnyHunter` |
The exposure has been remediated to prevent potential misuse and to avoid similar leaks in the future. | Low |
| #YWH-PGM2323-346 | Replay behaviour of invalid authentication attempts | This issue was identified during the 2025 public intrusion test and is described in this GitLab report. | Fixed | Low |