Transparency matters: Inside Swiss Bankers' bug bounty strategy

Mike, can you tell us a bit about Swiss Bankers?

Swiss Bankers Prepaid Services AG is an internationally oriented financial services provider based in Bern and Zurich. The company is a leading provider in the development, distribution, and processing of prepaid products and offers innovative solutions for secure, cashless payments worldwide. As the first provider in Switzerland, Swiss Bankers made it possible to send money globally to Mastercard cards. Swiss Bankers continues to expand its leading position in this market and is developing new digital payment solutions. The company was founded in 1975 and initially became known for its Travelers Cheques. Today, Swiss Bankers’ physical and digital reloadable card and money transfer solutions are widely used. Products are available directly from Swiss Bankers via swissbankers.ch, in the Swiss Bankers app, or through more than 200 distribution partners. All Swiss Bankers cards can be used digitally with Apple Pay, Google Pay, and Samsung Pay.

Why is cybersecurity such a central focus for you?

Cybersecurity is a fundamental part of our mission. Protecting sensitive customer data and ensuring the secure delivery of our digital services is central to how we operate. As a digital bank without our own branches, it is essential that we provide reliable, uninterrupted services.

We’re also subject to strict regulatory requirements, particularly from FINMA, the Swiss Financial Market Supervisory Authority. These rules set a high bar—and we meet them with a comprehensive security concept. Trust is the foundation of our business. That's why security is a top priority for us — technically, organizationally, and culturally.

What is your biggest cybersecurity challenge?

The threat landscape in cyberspace is constantly evolving. Phishing, ransomware, and increasingly sophisticated attack vectors have become part of everyday life. Cyber risks aren't going away — on the contrary, they’re growing more complex. Anyone operating online is permanently in the crosshairs of potential attacks.

For us, vigilance isn’t a choice, it’s second nature. We meet this reality with a holistic security approach that brings together technical safeguards, clearly defined processes, and a culture of awareness throughout the company. Because only those who see security as a continuous responsibility can build lasting trust.

How did you first become interested in bug bounty?

Several members of our team came across the topic through personal networks and professional exchanges. That shows how present and relevant bug bounty has become within the security community. For us, it quickly became clear: bug bounty is a meaningful and practical addition to established methods like penetration testing and vulnerability management.

Vulnerabilities are, in my view, among the most significant risks in cybersecurity. No single tool is enough to systematically detect and address them. That’s why we rely on a multi-layered approach: classic vulnerability management, regular penetration tests, and a structured bug bounty program. This defence-in-depth strategy enables us to identify weaknesses from different perspectives.

How did you get started?

At the end of 2022, we launched a private bug bounty program with GObugfree, starting with a limited scope. The goal was to first establish the program internally, build trust, and gain initial experience in a controlled setting. This cautious approach proved successful — both technically and organizationally.

The next step was an Attack Surface Analysis (ASA). For us, it was the ideal intermediate stage: a realistic status assessment across a broader scope, without being overwhelmed by a flood of reports. The ASA gave us a clear picture of whether security gaps existed — and whether we were ready for the next step.

With those insights and a strengthened internal understanding of security, we were able to launch our public bug bounty program with a clearly defined scope. The structured rollout has paid off — both in terms of the quality of the findings and internal acceptance.

How has Swiss Bankers benefited?

The Attack Surface Analysis gave us an additional valuable overview of our external attack surface. There were no surprises — and that’s a good sign. It shows that the bug bounty program is already working and that potential vulnerabilities are being addressed early. That clearly shows that consistent security efforts deliver results. At the same time, it underscores one of our key values: transparency. Not just as an internal principle, but as part of the promise we make to our customers.

With the public bug bounty program, we’re showing that we don’t just take security seriously — we live it. Openly, transparently, and in dialogue with the community. Because real security doesn’t happen in secret — it’s built on trust and collaboration.

How did you integrate bug bounty into your organization?

Bug bounty isn't just a technical matter for us — it’s a regular topic in conversations with senior management. From the start, we addressed key questions: Why are we opening our systems to ethical hackers? What added value does it bring? And how do we ensure that sensitive information is handled responsibly?

This structured internal dialogue was essential to gaining support. With GObugfree, we had an experienced partner who supported us through both the launch and further development of the program.

In the beginning, the processes for handling findings were still unfamiliar — especially in a complex IT landscape. But over time, clear structures were put in place, responsibilities defined, and workflows established. Today, we’re confident: the system works — and it’s worth it.

What motivates you personally to work so intensively with bug bounty and ethical hacking?

My background is in computer science — but over time, I’ve become more and more involved in cybersecurity. What fascinates me is the combination of technology, transparency, and trust. Cybersecurity is no longer just a technical discipline — it thrives on dialogue and mutual understanding.

I know the community well. Many ethical hackers are highly motivated — they want to challenge themselves and contribute to something meaningful. That mindset deserves recognition. I see it as part of my role to convey this perspective internally and show the value of an open, cooperative approach to security.

What has it been like working with GObugfree?

We’ve found the collaboration with GObugfree to be very collegial, straightforward, and on equal footing. Whether by email, phone, or in person at an event — the team is always available, supportive, and engaged. We especially appreciate their active role in liaising with ethical hackers and their continued guidance throughout the process.

This kind of partnership makes it easier to make real progress together.

What role does the bug bounty program play in your compliance efforts?

As a financial institution, we’re subject to a wide range of regulatory requirements — including regular penetration testing under FINMA’s guidelines.

Running a continuous bug bounty program sends a strong signal: we don’t rely solely on periodic testing — we subject our systems to ongoing scrutiny. That not only improves our security, but also strengthens our standing with external auditors. It shows that we take a proactive approach to cybersecurity — and see it as a continuous process, not just a compliance checkbox.

What would you say to other companies considering a bug bounty program?

Introducing a bug bounty program is a deliberate decision. You have to want it — and be prepared to address the vulnerabilities it uncovers. For many organizations, a private, invite-only program is a sensible first step. It creates a controlled environment and helps ease concerns — especially among stakeholders who may still be wary of ethical hackers.

A small, clearly defined scope means fewer eyes — but also fewer unknowns. That was a good middle ground for us. The collaboration with GObugfree was respectful, the findings were clear and actionable — and our trust in the process grew. Today we can say with confidence: it works. And it’s a good path forward.

Another important consideration is the internal processes: who takes ownership of a finding? How is communication handled? How are learnings documented and followed up? When those questions are resolved, bug bounty can reach its full potential — especially in combination with classic penetration testing, attack surface analysis, and established vulnerability management.

What's next?

Our bug bounty program has developed significantly in recent months. We now cover nearly our entire IP range and all relevant domains — with only a few clearly defined exceptions. That puts us close to full rollout.

A topic currently on our agenda is the inclusion of external development partners. Some systems are now developed together with third parties — and it’s essential to include those components in our security perspective. Expanding the program in this direction would be the next logical step.