Researchers have already earned tens of thousands of euros for vulnerabilities found in Switzerland’s new e-voting system as part of a recently launched bug bounty program.
E-voting was first introduced in Switzerland nearly two decades ago. However, the country’s national postal service, Swiss Post, which is in charge of e-voting, has been working on a new system “with complete verifiability.”
Before the new system can be widely implemented, Swiss Post wants to make sure that it’s properly tested and secure. The organization launched the first e-voting bug bounty program in 2019, but it only ran for one month and resulted in the discovery of only around a dozen low-severity security issues.
However, at around the same time, a team of researchers analyzed the system’s source code — outside of any bug bounty program — and they uncovered potentially serious vulnerabilities related to cryptographic protocols, including flaws that could have led to undetectable vote manipulation. The findings were downplayed by the company that developed the voting system.
Last year, Swiss Post announced an ongoing bug bounty program on the YesWeHack platform, offering rewards of up to €230,000 (roughly $260,000 at the time of writing).
According to Swiss Post, it has already received 122 vulnerability reports as of January 20, 2022, including four issues that have been assigned a “high severity” rating. For all the valid vulnerabilities, it has paid out a total of €79,000 ($88,000).
Of this amount, €27,000 ($30,000) was earned by Ruben Santamarta, an experienced cybersecurity researcher who in the past years discovered many vulnerabilities, including in industrial, IoT, satellite, avionics and maritime systems.
Santamarta has so far identified 13 vulnerabilities in the e-voting system, but his research is ongoing and he expects to report additional issues. He also noted that the severity of some flaws is still being investigated and he expects to receive additional rewards for weaknesses that have already been disclosed to the vendor.
Nineteen researchers are listed in the hall of fame of the Swiss Post’s bug bounty program on YesWeHack and Santamarta currently has the highest ranking. The highest bounty paid out so far as part of this program was €40,000 ($45,000).
In a blog post published earlier this month, Santamarta disclosed the details of seven vulnerabilities, including a high-severity issue that has earned him €15,000. The high-severity flaw is related to the use of USB drives.
“In the Swiss Post e-voting system, some of the equipments that are in charge of performing critical tasks are air gapped, using a USB key to share information between them,” Santamarta told SecurityWeek. “I found a vulnerability in the way the contents of this USB key are handled, which allowed to overwrite arbitrary files in the affected computer.”
He explained, “Eventually, if a malicious actor — likely a nation-state taking into account the threat scenario — is able to surreptitiously supply a malicious USB key to the administrators (or even just a malicious administrator, which is assumed in Swiss Post’s threat model), it would be possible to run arbitrary code in the SDM, a computer which is a key asset in the e-voting system, thus leading to a potential compromise of the entire election process.”
Santamarta said he also found some vulnerabilities related to cryptography weaknesses that “weaken the underlying cryptographic protocol the Swiss Post e-voting system relies on.”
Related: Experts Warn of Dangers From Breach of Voter System Software
Related: Report Highlights Cyber Risks to US Election Systems

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Critical Baicells Device Vulnerability Can Expose Telecoms Networks to Snooping
- SecurityWeek Analysis: Over 450 Cybersecurity M&A Deals Announced in 2022
- VMware ESXi Servers Targeted in Ransomware Attack via Old Vulnerability
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- GoAnywhere MFT Users Warned of Zero-Day Exploit
- UK Car Retailer Arnold Clark Hit by Ransomware
- EV Charging Management System Vulnerabilities Allow Disruption, Energy Theft
- Unpatched Econolite Traffic Controller Vulnerabilities Allow Remote Hacking
Latest News
- Comcast Wants a Slice of the Enterprise Cybersecurity Business
- Critical Baicells Device Vulnerability Can Expose Telecoms Networks to Snooping
- New York Attorney General Fines Vendor for Illegally Promoting Spyware
- SecurityWeek Analysis: Over 450 Cybersecurity M&A Deals Announced in 2022
- 20 Million Users Impacted by Data Breach at Instant Checkmate, TruthFinder
- Cyber Insights 2023 | Zero Trust and Identity and Access Management
- Cyber Insights 2023 | The Coming of Web3
- European Police Arrest 42 After Cracking Covert App
