Bugbounty

1 Introduction

We, Swisscom Ltd and our affiliated companies (hereinafter "Swisscom") aim to design and operate our products and services according to the highest security standards to keep our customers safe. To this end, we are continually improving our security on multiple levels. We are aware that, despite all efforts, absolute security is impossible, and we cannot completely rule out the existence of security bugs. The purpose of the Swisscom Vulnerability Disclosure Policy and Bug Bounty Programme is to support the reporting of potential vulnerabilities in our systems by external parties.

Customers, users, researchers, partners and any other parties who interact with Swisscom's products and services are encouraged to report identified vulnerabilities to our security team under observance of our Responsible Disclosure Policy.

Moreover, we invite both private individuals and legal entities to participate in our Bug Bounty Programme (hereinafter the "Programme") in accordance with the Programme Rules. Bounties may be awarded for reporting qualifying and in-scope vulnerabilities.

Swisscom acknowledges the value of contributions from the security researcher community and highly appreciates the efforts made by the reporting party. We thank you in advance for your contribution!

TL;DR Swisscom Bug Bounty

• Public programme
• Scope includes all enterprise assets
• Rewards from CHF 100 to CHF 10'000
• Safe Harbor Policy
• In-house triage by Swisscom team

ℹ️ Please take note of the registration requirements and payment modalities before notifying us of a vulnerability. Especially regarding the following points:

• you will be required to provide a copy of an international identity document (e.g. passport or ID card), that is currently valid and that includes a machine-readable zone for unambiguous matching.
• rewards are paid out in Swiss francs (CHF) by bank transfer only. Any other payment channels are excluded.

2 Contact Information

To take part in our Bug Bounty Programme, please register and submit your report directly on our portal. See 5.4.1 Registration.

To report a security vulnerability to Swisscom without participation in the Bug Bounty Programme or for any other enquiries, please contact us by e-mail.

<table> <tr> <td>E-mail</td> <td><a href="mailto:bug.bounty@swisscom.com">bug.bounty@swisscom.com</a></td> </tr> <tr> <td>PGP key ID</td> <td>D7C7CE45C6817513</td> </tr> <tr> <td>PGP fingerprint</td> <td>9423 3225 7E5F 5A65 425F 8807 D7C7 CE45 C681 7513</td> </tr> <tr> <td>PGP public key</td> <td> <a href="https://github.com/swisscom/bugbounty/blob/main/assets/pgp/bug-bounty_19052024-19052026.asc"> Public key </a> </td> </tr> <tr> <td>Portal link</td> <td> <a href="https://portal.bugbounty.swisscom.ch/"> Bug Bounty Portal </a> </td> </tr> <tr> <td>Postal address</td> <td> Swisscom (Switzerland) Ltd<br> GSE-SEL<br> Bug Bounty Programme<br> Förrlibuckstrasse 60/62<br> CH-8005 Zürich<br> Switzerland </td> </tr> </table>

3 Responsible Disclosure Policy

To protect our customers, Swisscom does not publicly disclose or confirm security vulnerabilities until Swisscom has conducted an analysis of the reported vulnerability and issued fixes and/or mitigations in its Products or Services.

By submitting a vulnerability report (hereinafter "Report") to Swisscom, you agree to not publicly disclose or share the reported vulnerability with any third party until Swisscom confirms that the vulnerability has been remediated. Swisscom will make every effort to remedy reported vulnerabilities within 90 days after notification of your Report to Swisscom. Swisscom must be informed in advance about your intended publications and their content. The publication must NOT include any customer, confidential or sensitive data, and must focus on the technical vulnerability discovered.

In the event of publication, Swisscom and you shall mutually agree on a coordinated disclosure.

If you submit a Report which affects a third-party service, we will limit the information that we share with any affected third party. We may share non-identifying content from your report with an affected third party. We will not share your identifying information with any affected third party without first obtaining your written permission.

4 Safe Harbour Policy

The Swiss Penal Code qualifies any type of hacking as a major crime. This provision makes sure that you are safe from demands for a criminal sanction of Swisscom if you comply with the Programme Rules. If you violate these Rules, you may not only be prohibited from participating in the Programme in the future, but Swisscom also reserves the right to file criminal charges or take civil action against you.

Please understand that Swisscom cannot and does not authorise security research that involves any customer assets (networks, systems, applications, products or services) managed by Swisscom in an outsourcing setting. If your security research involves assets that include data of a third party, such third party may take civil actions or file criminal charges against you. Swisscom cannot in any way offer to defend, indemnify or otherwise protect you from third-party claims or criminal charges against you.

If you comply with the Programme Rules, Swisscom will honour its Safe Harbour Policy, as defined below:

• Swisscom interprets activities that comply with these Programme Rules as authorised access to our systems and will refrain from filing a complaint under Articles 143, 143^bis and 144^bis of the Swiss Criminal Code.
• If a criminal charge or legal action is initiated against you and you have complied fully with the Programme Rules, Swisscom will make every effort to inform the authorities that your actions were conducted in compliance with Swisscom’s Bug Bounty Programme.

For more information regarding legal aspects of ethical hacking in Switzerland, refer to the FDPIC Factsheet for ethical hackers.

5 Bug Bounty Programme

Swisscom was the first company in Switzerland to introduce a Bug Bounty Programme (hereinafter "Programme"), which has been up and running since 2015. The Programme continues to be distinguished for its openness today:

• Open participation for the global community of security researchers
• Open scope including all enterprise assets
• Open-ended, unlimited duration

The programme is self-managed, offers a wide range of technologies and vulnerability reports are triaged in-house by Swisscom employees.

Participants are permitted to perform tests and investigations within the systems provided they act in good faith and respect the scope and rules described below.

5.1 Eligibility

You are eligible to participate in the Programme if you meet all of the following criteria:

• You are of legal age and have the legal capacity to give your consent to the terms of these Programme Rules.
• If you are acting in the name of and on behalf of your employer, you must clearly state this during the Registration Process and confirm that you are authorised to give your consent to the terms of these Programme Rules in the name of and on behalf of your employer. You are responsible for reviewing your employer's rules for participating in this Programme. Swisscom disclaims any and all liability or responsibility for disputes arising between you and your employer related to this matter.
• Public Sector Employee: if you are a public sector employee, please contact our Bug Bounty team using the details above prior to any testing activities

You are not eligible to participate in the Programme if you meet any of the following criteria:

• You do not fulfil all the above criteria
• You are a resident or a national of any country subject to international or Swiss sanctions
• You are a resident or a national of any country that does not allow participation in this type of Programme
• You are currently an employee of Swisscom, or an immediate family or household member of such an employee
• Within the six months prior to providing us your Submission, you were an employee of Swisscom
• You currently (or within six months prior to providing us your Submission) perform services for Swisscom or a Swisscom subsidiary in an external staff capacity that requires access to the Swisscom Network, such as agency temporary worker, vendor employee, contractor

Swisscom reserves the right to exclude any participant from the Programme at Swisscom's sole discretion and at any moment, particularly if it is observed that submissions are not generating the expected value and, at the same time, create an excessive workload for the triage team.

5.2 Programme Scope

In principle, any Swisscom-owned assets are intended to be within the scope of the Programme. This includes almost all networks, systems, applications, products or services for which Swisscom is accountable.

Likewise, assets from affiliated companies are also in scope if Swisscom Ltd owns more than 50% of the company shares. You can find a list of such participations in the current [annual