Cybercriminals keep finding new ways to hack into computers and the data of their victims. Swiss Post’s IT security experts are, in turn, constantly working on new ways to improve the security of the company’s IT infrastructure. Bug bounty programmes are an effective way to identify and fix security issues quicker. The programmes invite hackers to check IT systems for any security vulnerabilities, and provide them with a reward for each one they identify. Swiss Post is set to go a step further as anyone will now be able to look for vulnerabilities, instead of just those invited to do so.
In May 2020, Swiss Post was one of the first companies in Switzerland to launch an ongoing bug bounty programme, where hackers are invited to check certain IT systems for security vulnerabilities. In return, they receive a reward for each vulnerability identified. The aim is to improve the security of Swiss Post’s digital services. As part of the programme, ethical hackers, also known as “hunters”, track down security vulnerabilities upon request. They receive payment – a bounty – for every vulnerability they find. Marcel Zumbühl, Chief Information Security Officer at Swiss Post, firmly believes that the bug bounty programme is the ideal complement to existing security tests: “Security is a process, not just a state. The bug bounty programme helps us enhance our IT security. We can also tap into the collective expertise of the international hacker community to enhance our security processes.” If a hacker does detect a vulnerability, Swiss Post will take action to resolve the issue. Specialists from Swiss Post also check to see if the reported vulnerability has any impact on other applications. If, for example, something can be manipulated, it is important to check whether this is a possibility with its other services. If the vulnerability does have an impact, then Swiss Post will fix these security issues as well. “Since we started the programme, we’ve already identified 500 vulnerabilities and paid out around CHF 250,000 in reward money,” – a good sign as far as Zumbühl is concerned. “Errors are the only way we can learn and improve,” he says.
Public bug bounty programme launched with selected services Now Swiss Post is going a step further. Previously it only operated a private programme. In other words, hackers could just track down vulnerabilities on request as they were only ones who had access to the bug bounty programme. Now any registered hacker can use the YesWeHack bug bounty platform to identify vulnerabilities. The total bounty a hacker receives for confirmed vulnerabilities depends on how critical they are, with awards ranging from 50 to 10,000 francs. The public bug bounty programme will initially involve the following services that were previously tweaked in the private bug bounty programme: Swiss Post Customer Login, Postshop, Post-App, the PubliBike bike sharing service and other services such as WebStamp, My consignments, address management, recipient services and the Billing Online payment service.
“We’re constantly incorporating more services into the private bug bounty programme and plan to transfer them to the public programme in future as well,” explains Zumbühl.
Hacking IT systems constitutes a criminal offence in Switzerland. As such, Swiss Post needed to work with the Confederation and the cantons to come up with a legal framework that would protect hackers from prosecution. This resulted in the creation of a legal safe harbor, a clearly defined arena in which hackers cannot be prosecuted. In return, Swiss Post receives information about the methods of the hackers. It can then learn from this and take action where needed.
The most important bug bounty-related terms explained simply
Bug: A vulnerability or security loophole in an IT system.
Bounty: A financial reward paid out if someone detects and reports a vulnerability.
Bug bounty programme: A programme where hackers are invited to check certain IT systems for security vulnerabilities. In return, they receive a bounty for each vulnerability identified.
Hunter: A security researcher or ethical hacker who tracks down security vulnerabilities in bug bounty programmes.
Ethical hacker: An ethical hacker (or white-hat hacker) is a highly specialized security expert who hacks into IT systems on behalf of the owners of these systems. They track down security vulnerabilities that a cybercriminal with malicious intentions could also exploit, and report them to the owner.
Cybercriminals: These are rogue hackers (or black-hat hackers) that abuse security vulnerabilities in IT systems for malicious and illegal purposes.
Penetration test/intrusion test: This is a type of test in which IT security experts rigorously test the points of attack in an application and ascertain whether there are any vulnerabilities.
Legal safe harbor: A legal framework established for the bug bounty programme in which ethical hackers are protected from prosecution
Vulnerability disclosure policy (VDP):
If hackers detect vulnerabilities in one of Swiss Post’s digital services that are not part of the bug bounty programme, these can be reported using the VDP programme although there are no rewards for these detections. Go to the VDP programme.
