Security
A login system such as AGOV is secure if nobody can enter the system without authorisation and the login processes cannot be falsified. It is therefore important that your data is secure and that nobody can impersonate you using the AGOV login.
The following measures ensure AGOV's high level of security:
- Only strong, tamper-proof login factors are used in AGOV.
- AGOV is operated in the Federal Administration's secure data centres.
- Mobile phones* and security keys that are insufficiently secured or lack adequate certification are blocked from being used as AGOV-Login factors.
- AGOV was developed by Swiss security experts who are specialised in ensuring that their program code is error-free and robust.
- AGOV's security is checked using bug bounty and penetration testing. The test methods are described below.
*Hardware without security elements, outdated operating system, outdated hardware, manipulated operating system (rooting/jailbreak, emulators)
You are also part of your AGOV security:
- Make sure that only you can use your access data.
- The same applies to the recovery code; keep it in a safe place.
- Only scan the AGOV login code on the original AGOV login page. You can find more information at agov.ch/qr.
Bug bounty programme
What is a bug bounty programme?
These programmes commission ethical hackers to check IT systems for vulnerabilities and document them. They then receive rewards (bounties) when they are discovered. Ethical hackers often find vulnerabilities that traditional penetration tests and security reviews overlook.
What is the AGOV bug bounty programme?
The AGOV programme is part of the federal programme run by the National Cyber Security Centre (NCSC) and operated by Bug Bounty Switzerland AG. From 8 December 2025, the programme will become public: all interested security researchers can register and participate on the bug bounty platform operated by the National Cyber Security Centre (NCSC).
More details and registration: bugbounty.ch/agov
AGOV release notes: agov.ch/rn
How can a vulnerability be reported without registration?
Please follow the instructions under “Coordinated Vulnerability Disclosure (CVD)”: Coordinated Vulnerability Disclosure
These programmes commission ethical hackers to check IT systems for vulnerabilities and document them. They then receive rewards (bounties) when they are discovered. Ethical hackers often find vulnerabilities that traditional penetration tests and security reviews overlook.
What is the AGOV bug bounty programme?
The AGOV programme is part of the federal programme run by the National Cyber Security Centre (NCSC) and operated by Bug Bounty Switzerland AG. From 8 December 2025, the programme will become public: all interested security researchers can register and participate on the bug bounty platform operated by the National Cyber Security Centre (NCSC).
More details and registration: bugbounty.ch/agov
AGOV release notes: agov.ch/rn
How can a vulnerability be reported without registration?
Please follow the instructions under “Coordinated Vulnerability Disclosure (CVD)”: Coordinated Vulnerability Disclosure
Penetration test
What is a penetration test?
Pentesting (in full: penetration testing) determines whether a computer system is secure. Security is assured if only authorised persons or third-party systems are able to process data. For pentesting, specialists are commissioned and provided with information on a system's architecture and coding. These specialists check whether the system reliably prevents unauthorised access by attempting to gain unauthorised access using the latest tools available to potential real attackers.
Which penetration tests are carried out on AGOV?
The Federal Chancellery's Digital Transformation and ICT Steering Sector instructed the Federal Armaments Office (armasuisse) to pentest AGOV. The Federal Chancellery commissioned the Federal Office of Information Technology, Systems and Telecommunication to rectify any vulnerabilities identified. If new functions are introduced in AGOV, the pentesting will be repeated and extended to include the new functions.
Pentesting (in full: penetration testing) determines whether a computer system is secure. Security is assured if only authorised persons or third-party systems are able to process data. For pentesting, specialists are commissioned and provided with information on a system's architecture and coding. These specialists check whether the system reliably prevents unauthorised access by attempting to gain unauthorised access using the latest tools available to potential real attackers.
Which penetration tests are carried out on AGOV?
The Federal Chancellery's Digital Transformation and ICT Steering Sector instructed the Federal Armaments Office (armasuisse) to pentest AGOV. The Federal Chancellery commissioned the Federal Office of Information Technology, Systems and Telecommunication to rectify any vulnerabilities identified. If new functions are introduced in AGOV, the pentesting will be repeated and extended to include the new functions.