Well: Because health data requires the highest level of protection

Stefan, tell us briefly: what is Well?

We are a startup in the Swiss healthcare sector, founded five years ago. Our main investors are Visana and CSS. Our mission is to make healthcare in Switzerland simpler and more cost-effective through digitalisation.

We offer a platform that makes life easier for everyone involved: patients, doctors and insurers. Through Well, health data and documents can be exchanged, services can be used, and information can be provided to help people make better decisions about their health and wellbeing. We also connect users with existing medical platforms and partners such as OneDoc and other providers.

Why is cybersecurity especially relevant for you?

We work with health data. This is highly sensitive data that requires strong protection. Security therefore has to be considered in every process and every platform access. All data is hosted in Switzerland, we are subject to Swiss data protection law, and our team in Barcelona has no access to Swiss customer data.

For us, security is not just a technical topic. It extends from regulatory requirements all the way into day-to-day operations.

What exactly did you do with GObugfree?

We started with GObugfree in several steps. First, we carried out an Attack Surface Analysis, an automated scan of our publicly accessible systems. This was followed by a two-day Bugtest. Afterwards, we launched a three-month Bug Bounty program, which we later extended. We liked this combination because it brought together different testing approaches and fitted well into our existing security strategy.

How did you come across GObugfree?

In the past, we carried out classic pentests: two-week engagements with a clearly defined scope. At some point, we wanted to try something new and started an evaluation.

It was important for us to consider Swiss providers only. That has to do with our data, our customers and our market. As a health-tech company in Switzerland, it is easier for us to explain to partners, customers or auditors why we work with a Swiss security provider.

GObugfree was the best fit for our requirements in this evaluation, partly because the package of Scanning, Bugtest and Bug Bounty could be integrated very flexibly into our contract processes.

What was your experience getting started with bug bounty?

Initially, some colleagues from the IT team were concerned that the Bug Bounty program would create a lot of internal work. That quickly turned out not to be the case. GObugfree guided us through every step, from scoping to the Bugtest and then to the Bug Bounty program.

Of course, it requires a certain openness. You have to be willing to accept findings from outside and learn from them. That is also an engineering topic. But the process was very well supported. Especially because Bug Bounty was new to us, the close guidance from GObugfree was very valuable.

The scoping was particularly interesting for us. It is different from a classic pentest. You have to define what is interesting and meaningful for ethical hackers to test. GObugfree supported us very well in this process. The whole process was seamless, simple and very clearly explained.

What insights did you gain?

Overall, the testing confirmed that we are on the right track. During the tests, a few minor bugs and smaller issues were found, which we were able to fix quickly. That was valuable for us because it confirmed our own assessment while also giving us concrete opportunities for improvement.

We keep our systems up to date and are generally very current when it comes to security topics. So there were no major surprises. But that is exactly the point: regularly checking whether your own assumptions still hold true.

Security testing is an integral part of our security strategy.

Where did GObugfree deliver the greatest value for you?

The scan and the Bugtest were carried out very thoroughly in a short period of time. You could tell that there was a solid analysis behind it.

The triage by GObugfree was particularly valuable: they assessed for us whether a finding was truly security-relevant, what impact it had and how it should be classified. That significantly reduced our internal effort.

The platform was also very practical for us. The findings were clearly documented, we always had a good overview and we could export the reports easily. That made internal follow-up much easier.

What are your next steps in cybersecurity?

For us, security is not a one-off project, but a continuous process. We regularly evaluate which combination of pentests, Scanning and other formats makes the most sense for us, and we appreciate bringing in different perspectives.

This also applies to AI. We look at this on two levels: in our app, we offer a smart assistant, where access to user data is handled very restrictively. This was also tested as part of our work with GObugfree. Internally, we use AI in development, but with clear security rules and code reviews. Topics such as prompt injection are not some distant future concern for us. We are already dealing with them today.

Would you recommend GObugfree to other companies?

Absolutely. For us, it was very time-efficient and effective. We achieved a lot in a short time compared to other approaches that would have involved significantly more effort. The Swiss connection was also important to us. As a Swiss health-tech company working with sensitive health data, it is an advantage to work with a Swiss provider.