Public Intrusion Test (PIT)
In a nutshell…
- Swiss Post allow you to legally attack their dedicated PIT e-voting system;
- They have committed to compensate you for accepted findings;
- You are allowed to publish your findings;
- You need to respect the conditions defined in the code of conduct.
The Swiss Cantons have offered online voting to members of their electorate since 2004. Meanwhile, more than 200
binding trials at Federal votes and elections have taken place in 15 cantons. In order to expand online voting to a
broader public, the Federal regulation obliges the Cantons to meet an additional set of requirements. These include
the system feature of full verifiability, performing numerous audits and publishing the software components’ source
code. Additionally, the Swiss Confederation and the Cantons have decided that the systems need to be publicly tested
within the setting of a public intrusion test (PIT).
The online voting system currently subject to the PIT is provided by Swiss Post. It has already been pen-tested and
certified under the legal framework of the Swiss Confederation. By performing the PIT, the Confederation and the
Cantons are hoping to get a valuable outside view on the system by a large number of competent people. For more
background information, refer to the resources section below.
This public intrusion test is operated and managed by a third-party and independent company: SCRT. They are not involved in the development, deployment or promotion of the target e-voting system and act under the mandate of the Swiss Confederation and the Cantons.
This website serves as the portal to the public intrusion test. It allows participants to register for the PIT and,
while it is running, submit their findings for review and rating.
This PIT is open to anyone who is interested. Please register in order to participate and get access to the voting cards required to submit votes.
The Public Intrusion Test will be running for a period of four weeks, which corresponds to the duration of a Swiss federal vote.
Feb. 25th – Mar. 24th 2019
In more details, voting is possible from Feb. 25th, 12:00 until Mar. 23rd, 12:00 (GMT+1). Findings can be submitted until Mar. 25th, 23:59 (GMT+1).
The PIT is performed against a dedicated instance of Swiss Post’s certified e-voting system deployed as it would be for a productive vote.
The scope of the PIT includes the public-facing service as well as corresponding e-voting backend of this dedicated instance:
- pit.evoting-test.ch (Voter Access used by voters)
- pit-admin.evoting-test.ch (Admin Access used by Secure Data Manager SDM)
Any other services and infrastructures of Swiss Post and any services and infrastructures of its customers,
suppliers and of any other public or private entities are out of scope. For details about the scope,
please refer to the Terms, Conditions and Code of Conduct document.
Note that the registration and submission platform (*.onlinevote-pit.ch) is not part of the e-voting system and is only there for the test. It is
thus strictly out of scope.
Vulnerability submission and compensation
Any discovered vulnerability that falls into the range of acceptable submissions (see below), must be submitted for review. The submission must be sufficiently detailed and include at least the following information:
- Category (see table below)
- Detailed description of the vulnerability
- Evidence of successful exploitation
- Full reproduction guide with all needed PoC code/elements
Swiss Post have committed to compensate participants if they reveal a relevant vulnerability. An amount of CHF 150’000.- is available for compensations.
The vulnerability categories that trigger a compensation (expressed in Swiss Francs CHF) are detailed in the table below:
|Undetectable vote manipulation||Manipulation of individual votes that is undetectable by voters and trusted auditors;||Between 30’000.- and 50’000.-|
|Scalable manipulation of votes that is undetectable by voters and trusted auditors;|
|Vote manipulation||Manipulation of individual votes while maintaining universal verifiability mechanism (manipulation
detectable by a trusted auditor) – e.g. the vote is modified after being cast;
|Vote privacy (server-side)||The privacy of a voter is broken (who voted) on the server;||10’000.-|
|The privacy of a vote is broken (what did he or she vote) on the server;|
|Vote corruption||A vote is stored in the ballot box and that vote cannot be decrypted;||5’000.-|
|A vote is stored in the ballot box in a way that gives the voter an unfair advantage;|
|Destruction of the electronic ballot box;|
|Intrusion||Intrusion into one of the servers (shell access);||1’000.-|
|Ability to execute arbitrary code on one or multiple servers;|
|Ability to execute arbitrary code on one or multiple control components;|
|Best Practices||The configuration of a server or a service does not follow best practices of the security industry;||100.-|
Other types of “issues” that may be perceived as vulnerabilities by themselves but are accounted for (and
detected) by the security layers of the e-voting system as well as known and accepted characteristics of the system
will however not be accepted. Such “issues” include:
- Any operation compromising the vote privacy on the client-side (e.g. browser extension);
- Any vulnerability based on the assumption that the voter will not behave according to the instructions (e.g.
assuming that the voter will not verify the confirmation codes);
- Any operation modifying the vote – on the client-side – but without successfully tampering with the
confirmation codes (e.g. the attack turns a voter’s “YES” into a “NO” but the verification code displayed to the
voter also corresponds to a “NO”).
For further details regarding the scope of the test, issue handling and the publication of findings, refer to the Terms, Conditions and Code of Conduct document by Swiss Post.
Due to the federal regulation requirements, Swiss Post have published the source code of the e-voting system.
This publication is carried out under the Source Code Access Program that is fully distinct from the PIT and subject to
its own Terms and Conditions.
PIT participants can access the source code and use it as an auxiliary tool to analyze the security of the
target e-voting system and discover potential vulnerabilities.
However, any vulnerability that may be found in the source code itself must be reported through
the Source Code Access Program and will not be accepted in the PIT unless it can actually
be exploited against the target system.
Swiss Post have committed to relax certain technical precautions in order to facilitate attacks making the test more meaningful.