Abacus: How bug bounty enables continuous security
Abacus has been developing business software in Switzerland for over 40 years. With more than 250 developers and continuous releases, security is a core priority. In this interview, Stefan Schwizer, Information Security Management Lead, explains why bug bounty is more than just another test for Abacus — and how it proves its value in practice.
Stefan, can you briefly tell us what Abacus does?
Abacus is a Swiss, owner-managed software company based in Eastern Switzerland. For over 40 years, we’ve been developing ERP software across finance, HR, administration, sales, and supply chain. Today, we are the largest independent provider of business software in Switzerland.
Why is cybersecurity particularly important for you?
With 250 developers, we produce new code every day. Ensuring that this results in secure, reliable software is a key challenge. Recent supply chain attacks in the NPM ecosystem are a good example of why this requires constant attention.
Abacus uses multiple layers of testing, including unit, integration, and UI tests, as well as proprietary end-to-end tests (“movies”) that also cover customer-specific functionality. These are complemented by manual quality assurance, static code analysis, and peer reviews to identify risks early and strengthen security by design.
The biggest challenge remains consistently embedding security by default and security by design across all features.
Our bug bounty program helps us cover areas that are difficult to address through our existing processes and traditional pentests.
How did you first come across bug bounty?
We had bug bounty on our radar early on as a potential complement to pentesting. Initially, we decided against it due to uncertainty around working with the community and handling findings.
After a sales partner shared positive experiences with GObugfree, we revisited the topic and decided to move forward.
What were your expectations before getting started?
Two things were key for us: fast onboarding and clear, transparent communication around findings. It was important for us to define exactly what we expected and how the collaboration should work. These expectations were fully met and confirmed in practice.
What was the biggest challenge during implementation?
Defining the scope. Our software portfolio is extensive, so we had to approach it step by step. Overall, implementation was smooth. From the beginning, what mattered most to us was access to experienced security researchers and their findings.
What concrete benefits does working with ethical hackers bring?
The bug bounty program adds an additional layer of protection by continuously testing new versions and uncovering findings that are not covered by traditional pentests or internal processes.
A key advantage is that vulnerabilities are identified before they affect customers.
Findings are taken up by developers and incorporated into future testing scenarios. Since vulnerabilities can never be fully avoided, the program provides valuable ongoing support.
We’re happy to pay bounties. Every vulnerability we find reduces risk for our customers.
What does this mean for your customers and partners?
There’s still a divide. Many customers are highly security-aware and value the additional effort we invest. Others are primarily focused on functionality.
The driving force behind the bug bounty program came from within. It wasn’t driven by regulatory pressure or customer demand, but by our own goal of strengthening our security processes.
How is bug bounty integrated into your overall security strategy?
Since our vulnerability management processes are well established, integrating bug bounty findings was seamless. We treat them the same way as findings discovered internally or through external pentests.
What are your next steps?
We’re currently very satisfied with the program. In the future, we may expand the scope, for example to include mobile applications.
Die Perspektive von Security Researchern ist ein wichtiger Baustein in der Lösung der Schwachstelle und bietet eine erfrischende zweite Meinung in einer Zeit von KI-generierten Findings.
What advice would you give to other companies considering bug bounty?
Companies should first define what they want to achieve and which areas and level of continuity they want to cover.
Bug bounty and pentesting have different strengths. While pentests provide deep, point-in-time analysis within a defined scope, bug bounty enables continuous testing across a much broader attack surface.
For us, it’s clear: neither replaces the other. The best approach is a combination, tailored to risk appetite, scope, and available resources.
It’s also important to plan for bounty payouts from the beginning. For us, this is not a drawback, but part of the solution. Every vulnerability identified is an issue that could otherwise become much more costly.
The perspective of bug bounty hunters is a key element in resolving vulnerabilities, offering a valuable second opinion — especially in a time of AI-generated findings.
Could a bug bounty program is a good fit for your systems?
Learn how continuous security testing with bug bounties works and which additional areas you can cover with it.