Frequently asked questions (FAQ)

Question Answer
How does the public security test work? The public security test started on 28 May 2020 and aims to provide full transparency. Test results are reported via the NCSC website where there is a form for entering detailed information. The NCSC receives these reports, evaluates their contents, prioritises them according to their criticality and, if necessary, arranges remedies. Existing feedback is publicly available on the NCSC website and is updated daily.
Why conduct a public security test? The purpose of the public security test is to increase the security of the SwissCovid system, build and share knowledge and ensure transparency. On the one hand, reports of test results/observations can directly contribute to improving SwissCovid's security. On the other hand, independent experts can acquire expertise and knowledge in using a decentralised proximity tracing model.
Why is the NCSC conducting the public security test?

The Federal Office of Public Health FOPH commissioned the National Cybersecurity Centre NCSC to conduct the public security test for the proximity tracing system. The NCSC's mandate, led by the Federal Delegate for Cybersecurity, is to protect the public and businesses against cyber-risks and to increase the security of the Federal Administration's IT systems.

What is the aim of the public security test? The Swiss population should be guaranteed the maximum possible level of privacy protection when using the SwissCovid app. The entire proximity tracing system should therefore offer a high standard of security. This public test will allow the proximity tracing system to be tested in detail. The public security test is one of many security measures. 
What exactly can be tested? Where is the source code published?

 

The code repositories can be found via these links:

 

Who can take part in the public security test? Anyone, both in Switzerland and abroad, who wants to contribute to increasing the security of the proximity tracing system can take part in the public security test.
Is registration required in order to take part in the public security test? No registration is necessary. Test results can be reported directly via the NCSC website without registering. When reporting test results, contact data can be entered voluntarily. This enables the NCSC to contact participants in case of questions. 
What happens if a critical error is discovered? The NCSC receives the test results, evaluates their contents, prioritises them according to their criticality and, if necessary, arranges remedies. If a test result or its impact is assessed as critical, its remediation is prioritised accordingly. 
Are the test results published? Existing feedback is publicly available on the NCSC website and is updated daily.
Is the public security test being conducted due to the increased parliamentary interest? No. The public security test is one of many security measures to ensure the security and integrity of the proximity tracing system (SwissCovid app and associated peripheral systems) and was included early on in the project planning. This is in line with the standard procedure for such projects and systems. 
Do the participants in the public security test have to sign a non-disclosure agreement? No. There is also no need to register or login. Please note the following important scope and rules of engagement for the test.
Is it not illegal to attack a system? As part of the present public security test for the proximity tracing system, it is permissible, within the scope and rules of engagement, to test the system rigorously and attack it.  Please read the following important scope and rules of engagement before performing tests to avoid any uncertainties.
What is the difference between the public security test and the pilot operation of the SwissCovid app?  During the pilot operation, the emphasis is on testing the user-friendliness and functionality of the SwissCovid app. The public security test, on the other hand, tests the associated peripheral systems of the SwissCovid app and the main focus is on security aspects.
  The English version of the following FAQs will follow shortly.
Wieso macht man die beiden «Test-Phasen» nicht gemeinsam? Die beiden Phasen richten sich an unterschiedliche Personengruppen. In der Pilotphase wird die (eigentliche) Funktionsweise und Benutzbarkeit der SwissCovid-App durch den App-Nutzer in einem dafür vorgesehenen Umfeld getestet. Im Public Security Test geht es um die Sicherheit – IT-Experten sind deshalb eingeladen, das Proximity Tracing System einer vertieften Sicherheitsprüfung zu unterziehen. Beim Public Security Test stehen die Sicherheitsaspekte im Vordergrund.
Welches System genau wird getestet? Die «Rules of Engagement» definieren die Rahmenbedingungen des Public Security Tests und dessen Abgrenzungen. https://www.melani.admin.ch/melani/de/home/public-security-test/scope_and_rules.html
Dürfen auch ausländische Tester mitmachen? Am Public Security Testing können alle Personen teilnehmen - auf nationaler wie internationaler Ebene - welche zur Erhöhung der Sicherheit des Proximity Tracing Systems einen Beitrag leisten wollen.
Wie lange dauert der Test? Die Sicherheit der APP steht im Vordergrund, daher wurde erst ein Startdatum festgelegt. Damit die Sicherheitsexperten genügend Zeit haben die Systeme zu prüfen, wurde noch kein Endtermin definiert.
Kann es sein, dass die Ergebnisse einen Start der App im Juni verhindern? Wer entscheidet das?

Das NCSC nimmt die Testresultate entgegen, bewertet deren Inhalte, priorisiert diese in Anbetracht ihrer Kritikalität und veranlasst ggf. die Behebung.  Wird ein Testresultat bzw. dessen Auswirkung als kritisch bewertet, wird die Behebung entsprechend priorisiert. Bei jeder identifizierten Schwachstelle muss die Situation neu beurteilt werden.

Der Entscheid ob die App im Juni der Öffentlichkeit zur Verfügung gestellt werden kann, obliegt dem BAG. Zusätzlich muss die gesetzliche Grundlage vorliegen.

Last modification 05.06.2020

Top of page

https://www.melani.admin.ch/content/melani/en/home/public-security-test/faq.html