Close more information

Login/account box


Meta navigation

  • 🔎

    Global search

    Often searched

Bug Bounty

Bug Bounty

Bug Bounty: closes security gaps

Our Bug Bounty programme supports the reporting and quick elimination of security gaps (bugs) in our products and services. We invite both private individuals and organisations to report weak points to our Computer Security Incident Response Team (CSIRT).

Report security gaps

Please report any security gaps by e-mail to:

PGP key id 679603F0
PGP fingerprint A387 0022 1F33 4B4B 77F5 DFE3 E372 59A7 6796 03F0
PGP public key public key
Postal address
Swisscom (Switzerland) Ltd
Pfingstweidstrasse 51
CH-8005 Zurich

Report content

Your report must contain all the information we need to trace the security gap. This includes:

  • type of security gap
  • exact details of the product/service concerned
  • clear and comprehensible description of the steps required to exploit the security gap.
  • additional information such as PoC scripts, screenshots, HTTP requests etc.

Basic principle

All those involved in the collaboration between Swisscom and the security community observe the following rules:

  • security gaps are published in accordance with the principle of responsible disclosure (see below)
  • only Swisscom is notified
  • all activities leading to the discovery of a security gap are conducted within the bounds of the law
  • bounties may be awarded. The bounty amount depends on how critical the weak point is and the quality of the documentation provided to Swisscom.
  • potential exploitation of the security gap must be clearly verifiable. The absence of a security feature alone or disclosure of too much non-sensitive information do not constitute a security gap.

Responsible disclosure

Swisscom's understanding of responsible disclosure:

  • Swisscom has sufficient time, generally at least 90 days to verify and eliminate the security gap.
  • The tests must not impair Swisscom services and products
  • Third-party data may not be spied out or disclosed
  • No third parties should be informed of the security gap
  • Claims related to the reporting of a security gap will not be considered.


Swisscom CSIRT bears responsibility for a standardised procedure that accepts externally reported security gaps, rectifies and publishes them in a coordinated manner as appropriate.

Rectified security gaps

ID Product concerned Credits
CVE-2015-6498 Home Device Manager, Alcatel-Lucent Dr. Ulrich Fiedler,
BFH-TI Biel/Bienne
CVE-2015-1188 Swisscom DSL Router Centro Grande (ADB), ADB Ivan Almuina
CVE-2015-1187 D-Link DIR636L, D-Link Tiago Caetano Henriques
CVE-2014-3809 1830 Photonic Service Switch, Alcatel-Lucent Stephan Rickauer