Public Intrusion Test of Swiss Post’s E-Voting System

Context

The Swiss Cantons have offered online voting to members of their electorate since 2004. Meanwhile, more than 200 binding trials at Federal votes and elections have taken place in 15 cantons over the years.

In order to expand online voting to a broader public, the Federal regulation obliges the Cantons to meet an additional set of requirements. These include the system feature of full verifiability, performing numerous audits and publishing the software components’ source code.

Additionally, the Swiss Confederation and the Cantons have decided that the systems used for online voting needed to be publicly tested within the setting of a public intrusion test (PIT). By performing a PIT, the Confederation and the Cantons are hoping to get a valuable outside view on the system by a large number of competent people.

Swiss Post’s E-Voting System

Swiss Post provides one of the major online voting platforms currently available in Switzerland. The latest version of this platform has already been pen-tested and certified under the legal framework of the Swiss Confederation. As required by Federal regulations, this system must now be subject to a public intrusion test.

Third-party operator

In order to managed and operate this PIT, a third-party and independent company has been selected: SCRT.

SCRT are not involved in the development, deployment or promotion of Swiss Post’s e-voting system and act under the mandate of the Swiss Confederation and the Cantons.

They are responsible for enabling registration and vulnerability submission as well as providing support to participants. SCRT are the single point of contact for all participants and oversee the review and triage of the vulnerability submissions.

Dates

The Public Intrusion Test will start on Feb. 25th 2019. It will be running for a period of four weeks, which corresponds to the duration of a Swiss federal vote, until March 24th 2019.

Compensations

Swiss Post have committed to compensate participants if they reveal a relevant vulnerability. An amount of CHF 150’000.- is available for compensations.

Registration and further details

Registration is open starting of today at https://www.onlinevote-pit.ch/

Anyone can register and participate. While the target is a Swiss e-voting system, this PIT is meant for anyone interested in the matter and is not restricted to Swiss citizens.