Closed gagarine closed 2 years ago
There is no compensation unfortunately:
There is no compensation for participating in the PST and/or for submitting findings.
https://www.ncsc.admin.ch/ncsc/en/home/dokumentation/covid-certificate-pst/scope_and_rules.html
Not sure if there is a legal limitation for compensation at the moment? Maybe someone from NCSC can shine some light?
And yet the Confederation seem very generous (or scammed?) toward specific private partnership:
"Premièrement, ti&m est chargé du développement JAVA d'applications backend, pour un montant de CHF 1'615'500. Deuxièmement, Health Info Net (HIN) s'est vu attribuer un contrat de CHF 1'631'206 pour l'intégration de son système d'authentification Access Control Service (ACS), déjà utilisé par la majorité des professionnels de la santé en Suisse et par l’application de contact tracing SwissCovid. Enfin, l’agence Ubique va mettre au point l’application mobile, pour un montant de CHF 1'292'400. Ubique s'était déjà chargé du développement de l’app SwissCovid."
also CHF 807'750 for Information and communication campaign for the Covid certificate "given" to the communication agency Creative Intelligence Society AG. source simap.ch publication 31.05.2021 and really? no CHF for the public security test?
1.6 Mio for the backend service seems hefty. But the same amount for integrating an already existing ACM sounds ridiculous. But hey, Government IT seems incapable of developing this on their own and are desperate for a solution. So it looks like the IT consulting industry can charge whatever they like.
So it looks like the IT consulting industry can charge whatever they like.
Only if you know someones at the right place I guess. This "open-source washing" to increase trust regarding security have a good chance to backfire regarding the procurement process and budget. Who did what and when will be fully public.
The NCSC believes that IT infrastructures, software or other IT elements can be tested as part of a PST (Public Security Test) program. This is if they represent a public interest and are therefore not only in use for the federal administration but also if the element developed (software or otherwise) is considered open source. IT infrastructures, software, or other IT elements may be tested under a Bug Bounty program if they are considered part of infrastructures or elements within the federal administration that do not represent a public interest or are not considered open source. However, Bug Bounty is only one means of many testing methods. Regarding Bug Bounty programs, the federal administration recently gained initial experience in a pilot project. The final report was published on July 1 (https://www.ncsc.admin.ch/ncsc/de/home/aktuell/im-fokus/abschlussbericht-bb.html). It shows how the federal administration intends to use bug bounty programs in the future.
Sure. Let just say that when you spend 1 million CHF to develop a QR code scanner saving 20k for a bug bounty program is certainly a good insurance against script kiddies.
The possibility of public test was announced on https://www.ncsc.admin.ch/ncsc/en/home/dokumentation/covid-certificate-pst/infos.html
Yet I didn't find the amount of the bug bounty program. Sure you do not think dev should just work for free?