The Swiss government has invited hackers to penetration test its e-voting system to ensure it is safe and secure for voters. The hacking will take place during a Public Intrusion Test (PIT), where interested parties from around the words will be offered cash rewards based on what they do. The PIT will run between 25 Feb and 2 March, and rewards range from $100 to $30,000.
Companies opening their doors to hackers is becoming a popular way to detect vulnerabilities before black hat hackers discover them in the wild, and cause the company, or government much distress. Many tech companies routinely do this, for example, last year Google awarded a teenager in Uruguay $36,000 for finding a bug. It’s estimated that White hat hackers earned $878,000 from crypto bug bounties alone last year and bug bounty payouts rose 37% on the whole last year.
With so many companies offering bug bounties to bolster their security, it’s natural that governments would also follow suit as the Swiss government has done in this case. There will likely be concerns from some members of the public about whether taxpayers money should be used to pay hackers, but ultimately this model has been shown to save money and enhance security in the long run.
Any hackers wanting to participate in the penetration text has to register before the PIT session commences, which will give them legal permission to attack the system and receive rewards. There are also rules involved with the PIT, which protects the rest of the Swiss Post infrastructure from being targeted.
The website states:
“The goal of the PIT is to promote security and trust in the Swiss Post e-voting system…The scope of the PIT is strictly limited to the dedicated e-voting test system that is modelled 1:1 on the productive systems. Any other Swiss Post services and infrastructures and any services and infrastructures of its customers, suppliers and any other public or private entities are off-limits.”
Participants are given CHF points. 1 CHF roughly equals $1.
- Between CHF 30,000 and CHF 50,000): Manipulation that goes undetected by the voter and the system. Examples:
- Manipulation of individual votes after being recorded in the ballot box (without being detected by the proofs and logs generated by the e-voting protocol)
- Manipulation of the tallying process (manipulating the results) without voters and auditors detecting it
- CHF 20,000: Manipulation that goes undetected by the voter but not by the system. Examples:
- Manipulation of individual votes while maintaining universal verifiability mechanism (detected by trusted auditor)
- Modifying the results of the election without being detected by a voter
- CHF 5000: Vote Corruption. Examples:
- A vote is stored in the ballot box and that vote cannot be decrypted
- A vote is stored in the ballot box in a way that gives the voter an unfair advantage
- Destruction of the electronic ballot box
- CHF 10,000: Voting privacy outside the voting client. Examples:
- The privacy of a voter is broken (identity of who voted) on the server
- The privacy of a vote is broken (what he or she voted) on the server
- CHF 1000: Intrusion. Examples:
- Intrusion into one of the servers (shell access)
- Ability to execute arbitrary code on one or multiple servers
- Ability to execute arbitrary code on one or multiple control components
- CHF 100: Best Practices. Examples:
- The configuration of a server or a service does not follow best practices of the security industry