The projects published in Github based on VOTING E-Collecting are made available as part of a public Bug Bounty program.

This project uses the Code of Conduct to define expected conduct in our community.

Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting a project maintainer at psirt-voting@abraxas.ch

The Bug Bounty Program is part of the Program as defined in the Code of Conduct available on GitHub. This Bug Bounty Policy (also called Security Policy) complements the Code of Conduct with Bug Bounty specific rules and regulations. The System subject to the Program including this Bug Bounty Program has the Abraxas product name VOTING E-Collecting. The product VOTING E-Collecting and its infrastructure include for example:

• VOTING E-Collecting - Citizen Portal - Service (Backend)
• VOTING E-Collecting - Citizen Portal - WebApp (Frontend)
• VOTING E-Collecting - Government Portal - Service (Backend)
• VOTING E-Collecting - Government Portal - WebApp (Frontend)
• IAM System VOTING IAM of the Government Portal
• IAM System E-Login of the Citizen Portal

We will from time to time as considered necessary issue an updated version of this Bug Bounty Policy.

The rules and regulations established in the Code of Conduct and this Bug Bounty Policy are binding for this Bug Bounty Program.

Abraxas values a constructive and fair collaboration with the participants of the Program. Abraxas will not take legal actions against participants in this Bug Bounty Program, as long as participants act in good faith and in accordance with the license agreement, this Bug Bounty Policy, the provisions of the Code of Conduct and the applicable laws. Under these conditions:

• We interpret activities by participants within this Program as authorized access under the Swiss Penal Code. This includes Swiss Penal Code paragraphs 143, 143bis and 144bis.
• We will not file a complaint against participants within this Program for trying to circumvent the security measures deployed in order to protect the services in-scope for this Program.
• If legal action is initiated by a third party against a participant within this Program, we will take reasonable measures supporting the participant to defend the claim of the third party.

Any non-compliance with the license agreement, Code of Conduct, this Bug Bounty Policy, and the applicable laws may result in exclusion from the Program and legal prosecution. For minor breaches, a warning may be issued. For severe breaches, Abraxas reserves all rights provided by applicable laws.

All activities leading to the discovery of a vulnerability:

• are within the scope permitted by law (see section Legal Safe Harbor);
• are within the Program;
• may result in a bounty to be paid to you. The amount of compensation is based on the criticality of the vulnerability and the quality of the documentation submitted to Abraxas;
• shall not destroy, interrupt or lower the services and products used by Abraxas (and its customers and partners);
• shall respect the intellectual property rights and other rights of Abraxas, its customers and third-parties;
• shall not result in third-party data to be spied on or disclosed.

• This is a public Program – everyone can participate.
• We reserve the right to terminate the Program at any moment and not accept nor award any new vulnerability reports. This termination will be announced by Abraxas suitable means.
• You must avoid tests that could cause degradation or interruption of our service (refrain from using automated tools and limit yourself about requests per second).
• You must not leak, manipulate, or destroy any user data.
• Only test with user accounts that are under your control.
• You must not be a former or current employee of Abraxas, Bug Bounty Switzerland, one of its contractors or project participants within the last six months.
• Strictly follow a “report first” approach (in contrast to “exploit first”). All activities that are not absolutely necessary to identify a vulnerability should be omitted and permission asked to further exploit.
• Any vulnerability must be reported exclusively through the channel specified in the Submission Guidelines (CoC).

Vulnerability disclosure is possible from the start of the public phase of the Program, respecting the “Responsible Vulnerability Disclosure” section in the Code of Conduct. Abraxas will communicate transparently about results and will credit researchers publicly, if agreed.

Please ensure to report only findings with a real impact on security of the product VOTING E-Collecting and report clear proof of concepts that demonstrate the scenario.

Please make sure to complete your report in accordance with the guidelines set forth in the Submission Guidelines (CoC).

Should you identify an interesting but out-of-scope target you can attribute to VOTING E-Collecting, please report it and ask for permission to test it.

The source code included in the public Bug Bounty Program can be used for identification of exploitable/demonstrable vulnerabilities.

*Info: The term Admin is often used as a technical term for the Government Portal.

• The self-registration website to create test users is not a productive component of the system. It is only a helping system for you in order that you can log in the application. This component is out of scope.

• The AGOV mock (https://bbt-auth.sg.ch/agov-mock/*) to create and simulate test users is not a productive component of the system. It is only a helping system for you in order that you can log in the application. This component is out of scope.

The login procedures for the systems (Citizen Portal and Government Portal) differ, as different identity providers are used. The self-registration processes are described in the engagement description on the Bug Bounty Platform using additional test data. To access the description, register yourself on the Bug Bounty Platform and follow the instructions described there.

Afterwards, the following users and roles will be made available to you:

Please consult the additional documents in this repository for further information on roles and authorizations.

Everything with a real impact on security of VOTING E-Collecting – e.g.:

• Remote code execution (RCE)
• Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
• Code injections (HTML, JS, SQL, PHP, ...)
• Cross-Site Scripting (XSS)
• Cross-Site Requests Forgery (CSRF) with real security impact
• Session Management
• Open Redirects
• Identitification and authentication failures
• Insecure direct object references (IDOR)
• CORS with real security impact
• Broken access control: Horizontal and vertical privilege escalation
• Source code findings with a measurable and provable impact on the system and its users

• All attacks which can be considered denial of service, resource starvation or brute force attacks
• Social engineering
• Physical attacks on people, buildings and devices
• Issues that require physical access to a victim’s computer/device
• User experience (UX) issues (e.g., incorrectly displayed text, layout or display problems, faulty views) with no direct impact on security.
• For source code findings: Code smell or missing best practices
• For system or infrastructure: Missing best practices or other guidelines which do not indicate a security issue.
• Testing for weak credentials of prepared test users in the system
• Known issues listed on Exclusions
• "Self" XSS
• SameSite cookie properties without demonstrated impact
• Missing cookie flags on non-sensitive cookies
• Missing "HTTP Host Header" XSS
• Clickjacking/UI redressing without a demonstrated security impact (i.e. state changing actions)
• Stack traces or path disclosure unless they leak sensitive information
• Server and Software version disclosure
• Presence of autocomplete attribute on web forms
• Lack of HTTP Strict Transport Security Header
• Missing security-related HTTP headers which do not lead directly to a vulnerability
• SSL/TLS best practices
• Mixed content warnings
• Logout and other instances of low-severity Cross-Site Request Forgery
• Vulnerabilities related to E-Mail server configuration
• Vulnerabilities affecting outdated browsers or platforms
• Reports from automated web vulnerability scanners that have not been validated by hand
• 0-day vulnerabilities in third-party components not maintained or controlled by Abraxas, including those for which a patch has only recently become available
• Any hypothetical flaw or best practices without exploitable POC
• Bypassing rate-limits or the non-existence of rate-limits
• Username / email enumeration

The Abraxas Bug Bounty Grid defines in which framework and methodology bounties can be defined. It is based on the CVSS Scoring Model. Please note that in a normal, productive setting VOTING IAM and Government Portal is not exposed to the Internet. For the Public Bug Bounty, the following static grid is used.

Additionally, there are specific scenarios for which Abraxas is prepared to offer special bounties. These bounties apply to all scopes and will be paid instead of the above CVSS based bounties (and not additional to them), if applicable.

Rewards are distributed at the discretion of Abraxas.

• You must be the first reporter of a vulnerability to be eligible for a bounty.
• The vulnerability must be a qualifying vulnerability or enter in one of the categories of the specific scenarios to be eligible for a bounty.
• In case of exploits on different endpoints, parameters or components caused by the same underlying weakness, we reserve the right to honor only the first report and reject the subsequent ones as 'Duplicate' or 'Informative' depending on the case.
• Claims related to the reporting of a vulnerability before, after or without actually reporting a vulnerability are not considered by Abraxas.