Switzerland’s national mail carrier asks more security researchers to test its networks

Swiss Post launches public bug bounty program with YesWeHack

UPDATED Swiss Post has partnered with YesWeHack to launch a new public bug bounty program, the national postal service has announced.

In a statement released last night (April 15), the Swiss mail carrier said it was offering security researchers up to €10,000 ($12,000) for discovering vulnerabilities across a range of web services.

It comes after a private bug bounty program, launched in May 2020, helped identify 500 security flaws, with payouts totaling more than $270,000.

A press release reads: “The postal company was one of the first Swiss companies to start a private bug bounty program in 2020 to great success.

“It is now opening the program up to the entire YesWeHack cybersecurity community.”

Swiss Post announced it would be opening its networks to the wider hacking community
Swiss Post announced it would be opening its networks to the hacking community


The program, managed by European platform YesWeHack, is offering the maximum payment vulnerabilities that are dubbed ‘critical’, and has 11 resources in scope.

Targets include the Swiss Post customer login portal, the online shop, recipient services, and the iOS and Android mobile apps.

Qualifying vulnerabilities include remote code execution, cross-site scripting, HTML and SQL injection, and local file access and manipulation.

More details on what qualifies for a payout are available on the Swiss Post bug bounty page.

Read more of the latest bug bounty news

‘The plan from the beginning’

Swiss Post has been the subject of headlines in the past due to both its controversial e-voting bug bounty program and its decision to release its safe harbor clause wording under a Creative Commons license – a move that received widespread praise from across the cybersecurity industry.

Christian Folini, co-lead of the ModSecurity OWASP Core Rule Set project and security consultant who worked with Swiss Post on setting up the bug bounty, told The Daily Swig that making the program public “was the plan from the beginning”.

Guillaume Vassault-Houlière, CEO and co-founder of YesWeHack, said: “Bug bounty applies the principle of crowdsourcing to cybersecurity. Through the YesWeHack platform, companies gain access to several thousand ethical hackers who offer a versatile range of skills to cover the full spectrum of testing functions.

“In addition, public bug bounty programs provide transparency and trust to customers. They demonstrate a company’s commitment to its information security and the protection of its users’ data.

“We are very pleased that Swiss Post, as one of the largest Swiss companies, counts on YesWeHack to help them make their digital products even more secure.”

BACKGROUND Swiss Post releases bug bounty safe harbor wording under Creative Commons license

A spokesperson for Swiss Post told The Daily Swig: “Swiss Post’s IT security experts are constantly working on new ways to improve the security of the company’s IT infrastructure.

“Bug bounty programs are an effective way to efficiently identify and fix security issues that traditional security testing might miss.”

When asked why it chose to partner with YesWeHack, the spokesperson said: “They have broad expertise and experience in working with/mobilizing ethical hackers.

“However, Swiss Post is in the lead when it comes to the programme itself, reviewing findings and ensuring that confirmed findings are corrected as quickly as possible and the vulnerabilities are closed.”

This article has been updated to include comment from Swiss Post.

RELATED Swiss Post puts e-voting on hold after researchers uncover critical security errors