Published on 23 January 2026

Security & Quality

Security

A login system such as AGOV is secure if nobody can enter the system without authorisation and the login processes cannot be falsified. It is therefore important that your data is secure and that nobody can impersonate you using the AGOV login.

The following measures ensure AGOV's high level of security:

  • Only strong, tamper-proof login factors are used in AGOV.
  • AGOV is operated in secure data centers in Switzerland that are either owned by companies with their registered office and majority ownership in Switzerland or by the Swiss Confederation.
  • Mobile phones* and security keys that are insufficiently secured or lack adequate certification are blocked from being used as AGOV-Login factors.
  • AGOV was developed by Swiss security experts who are specialised in ensuring that their program code is error-free and robust.
  • AGOV's security is checked using bug bounty and penetration testing. The test methods are described below.

*Hardware without security elements, outdated operating system, outdated hardware, manipulated operating system (rooting/jailbreak, emulators)

You are also part of your AGOV security: 

  • Make sure that only you can use your access data.
  • The same applies to your devices. Protect access to them and keep them up to date.
  • Only scan the AGOV login code on the original AGOV login page. You can find more information at agov.ch/qr.

Quality

The quality of the AGOV product as well as of the administrative processes related to AGOV is ensured through a clear allocation of tasks and roles among steering, advisory, review and supervisory bodies, schematically as follows:

Steering → Participation → Legal framework → Quality review → Supervision

Federal Chancellery
The Federal Chancellery (FCh DTI) is responsible for the overall steering and management of AGOV. It awards the mandates for the AGOV product (architecture, development, operation, maintenance and quality assurance) and defines the administrative processes related to AGOV. In addition, it is responsible for overarching governance and for coordinating the actors involved.

AGOV Steering Committee (ASC) and Steering Board Standard Services (FSD)
For Digital Public Service Switzerland (DPSS), the Federal Chancellery (FCh DTI) leads the AGOV Steering Committee (ASC), in which the authorities using AGOV are represented. The ASC ensures that AGOV meets the current and future requirements of Swiss authorities. As AGOV is classified as a standard ICT service within the Federal Administration, federal-specific requirements relating to AGOV are additionally addressed within the Steering Board Standard Services (FSD) in accordance with W008.

Federal Office of Justice (FOJ)
In the context of AGOV, the Federal Office of Justice (FOJ) assumes a legal and normative role, in particular with regard to the legal instruments RVOG together with IAMV, EMBAG together with EMBAV, as well as BGEID together with VEID (🔍) and other applicable legal instruments.

AGOV Compliance Audit Body (ACA)
The AGOV Compliance Audit Body (ACA) is an external, independent body mandated by the Federal Chancellery to annually audit the quality of the administrative processes related to AGOV starting in 2026. The results of the audits are documented and published in an audit report.

Swiss Federal Audit Office (SFAO)
The Swiss Federal Audit Office (SFAO) supervises the Federal Administration, including federal IT and thus also AGOV, within the scope of its statutory mandate.

Bug bounty programme

What is a bug bounty programme?
These programmes commission ethical hackers to check IT systems for vulnerabilities and document them. They then receive rewards (bounties) when they are discovered. Ethical hackers often find vulnerabilities that traditional penetration tests and security reviews overlook. 

What is the AGOV bug bounty programme?
The AGOV programme is part of the federal programme run by the National Cyber Security Centre (NCSC) and operated by Bug Bounty Switzerland AG. From 8 December 2025, the programme will become public: all interested security researchers can register and participate on the bug bounty platform operated by the National Cyber Security Centre (NCSC). 

More details and registration: bugbounty.ch/agov
AGOV release notes: agov.ch/rn

How can a vulnerability be reported without registration?
Please follow the instructions under “Coordinated Vulnerability Disclosure (CVD)”: Coordinated Vulnerability Disclosure

Penetration test

Icon for penetration test: A person hitting a door with a sledgehammer.
What is a penetration test?
Pentesting (in full: penetration testing) determines whether a computer system is secure. Security is assured if only authorised persons or third-party systems are able to process data. For pentesting, specialists are commissioned and provided with information on a system's architecture and coding. These specialists check whether the system reliably prevents unauthorised access by attempting to gain unauthorised access using the latest tools available to potential real attackers.

Which penetration tests are carried out on AGOV?
The Federal Chancellery's Digital Transformation and ICT Steering Sector instructed the Federal Armaments Office (armasuisse) to pentest AGOV. The Federal Chancellery commissioned the Federal Office of Information Technology, Systems and Telecommunication to rectify any vulnerabilities identified. If new functions are introduced in AGOV, the pentesting will be repeated and extended to include the new functions.