The SNSF’s strategy to protect sensitive data with bug bounties
The Swiss National Science Foundation (SNSF) not only funds thousands of research projects across all scientific disciplines but also leads the way in securing sensitive data. Chief Information Security Officer Anton Brunner explains how the SNSF’s bug bounty program enhances the cybersecurity of its portals and makes a crucial contribution to data security.
Anton, can you tell us a bit about the Swiss National Science Foundation? What does your organization do?
The Swiss National Science Foundation is a private-law foundation funded by federal money. Our main task is to support the best research projects and researchers in Switzerland. Researchers submit their applications to us, which are then reviewed by external experts. Special committees within the SNSF decide who gets how much funding. All of this is managed through a digital portal that we are constantly developing.
You recently modernized your core system. What has that meant for IT security?
We replaced our old legacy system with a modern solution. The biggest security challenge is managing access to our system, which many external users need to access. We cannot overly restrict access since users outside Switzerland also need it. It's crucial that researchers cannot see each other's current applications or know how the committees voted on them. Although our data does not fall under the category of 'particularly sensitive personal data' as per the data protection law, it still requires high protection. That's why we have prioritized security from the start and have been conducting regular pentests for three years.
In the agile development cycle, the bug bounty program offers the decisive advantage of being quickly implemented and continuously providing cost-effective security reviews.
What motivated you to start a bug bounty program (BBP)?
Traditional penetration tests were associated with long lead times and high budgets. With our shift to a more agile development model—now releasing updates weekly—it became clear that the old methods were no longer sufficient. We started the bug bounty program as a pilot project to see if it would bring us advantages, and it was very successful. It allowed us to identify many security gaps that we otherwise would have missed. In the agile development cycle, the bug bounty program offers the decisive advantage of being quickly implemented and continuously providing cost-effective security reviews.
Interestingly, the log file analyses, even when not revealing direct vulnerabilities, have helped us better understand attack patterns and improve our alert and log monitoring systems.
Can you name some specific benefits of the bug bounty program?
Our private bug bounty program, involving about 30 selected ethical hackers, has provided insights that we wouldn’t have obtained through conventional tests. The diverse perspectives of these ethical hackers give us much broader coverage. Interestingly, the log file analyses, even when not revealing direct vulnerabilities, have helped us better understand attack patterns and improve our alert and log monitoring systems.
Another practical benefit of our bug bounty program was demonstrated at GOhack23, where we participated in the live bug bounty challenge as a program partner. We discovered two very interesting findings that would likely have gone unnoticed without this approach. These insights from the user perspective were not only enlightening but also confirmed the effectiveness of our approach. It was a cool event that once again highlighted the relevance and value of live testing.
Organizations often worry that setting up a bug bounty program requires new processes, meaning additional resources. Have you encountered similar challenges?
I understand why this is a common concern, but our experience has been very positive. We were able to seamlessly integrate the bug bounty program into our existing security processes. The security architect and I have direct access to the GObugfree platform, and all reports were handled internally just like other security incidents. Critical cases are immediately and effectively managed through our established emergency process, allowing us to respond swiftly to security gaps without overhauling our existing processes.
What further plans do you have regarding cybersecurity?
We are constantly exploring new approaches. A current project involves using AI-based patterns for threat detection, for which we are currently conducting a proof of value on our Azure tenant. By the end of 2025, we aim to further advance our development in this area.
Regarding bug bounty, I say: Take the plunge and try it for three months. You only discover the hidden vulnerabilities if you dare to take the risk.
What advice would you give to other organisations thinking of starting a bug bounty program
Regarding bug bounty, I say: Take the plunge and try it for three months. You only discover the hidden vulnerabilities if you dare to take the risk. The pilot might feel like a bold move at first, but the results speak for themselves.
Are you interested in a bug bounty pilot program? Find out how you can sustainably strengthen and optimize your IT security with the help of our experienced community of security experts.